Re: [Samba] [Samba 4.0] Floating KVNO
On Fri, Feb 15, 2013 at 2:26 AM, Andrew Bartlett abart...@samba.org wrote: I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to disable this? In AD, the KVNO is based on the replication metatdata, specifically the version number for the unicodePwd attribute. It should only change if that attribute is changed. What is the client in this case? I'm 100% positive the account with SPN has not been changed in any way by me or my co-workers. It's a computer account (CN=Computers), so I don't see a way any client could reset the password. On the other side is Postgres 9.2.2 (with GSSAPI). For example, yesterday it asked me politely to go away, because KDC returned KVNO 18 (what was shown in an error message) and keytab had KVNO 17 (what I confirmed with ktutil). Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4.0] Floating KVNO
On Fri, 2013-02-15 at 10:22 +0100, Kaito Kumashiro wrote: On Fri, Feb 15, 2013 at 2:26 AM, Andrew Bartlett abart...@samba.org wrote: I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to disable this? In AD, the KVNO is based on the replication metatdata, specifically the version number for the unicodePwd attribute. It should only change if that attribute is changed. What is the client in this case? I'm 100% positive the account with SPN has not been changed in any way by me or my co-workers. It's a computer account (CN=Computers), so I don't see a way any client could reset the password. On the other side is Postgres 9.2.2 (with GSSAPI). For example, yesterday it asked me politely to go away, because KDC returned KVNO 18 (what was shown in an error message) and keytab had KVNO 17 (what I confirmed with ktutil). Do you have more than one DC? Are you sure they are replicating correctly? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Samba 4.0] Floating KVNO
Hello I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to disable this? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4.0] Floating KVNO
On Thu, 2013-02-14 at 14:05 +0100, Kaito Kumashiro wrote: Hello I'm using Samba 4.0.1 also to authenticate users via Kerberos. Once in a while however I have to regenerate a keytab, because for reasons unknown to me, the KVNO is increased by one. I'm not doing anything with an account the SPN is bound to. The KVNO seems to change automagically after few days and service cannot talk to the KDC unless I create a new keytab. What can cause the KVNO (and probably the keys) to change automagically? Is there a way to disable this? In AD, the KVNO is based on the replication metatdata, specifically the version number for the unicodePwd attribute. It should only change if that attribute is changed. What is the client in this case? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba