[32829] in Kerberos
Problem with kerberos - kvno getting bumped..
daemon@ATHENA.MIT.EDU (Eric Youngdale)
Wed Oct 20 13:51:56 2010
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 20 Oct 2010 12:36:37 -0400
Message-ID: <3BC2DCB52AF45F4FB3CBB131653CDF6C063C2321@vamsexch.mks.com>
From: Eric Youngdale <Eric.Youngdale@mks.com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have a Linux (Ubuntu) box joined to a Windows domain (I
believe the domain controllers are server 2003) so I can use Kerberos
authentication. Initially everything is working fine - I can ssh into
the box using gssapiauthentication.
After some number of days, this stops working however. I
would find that I could re-generate the keytab and the problem would go
away for a while and eventually come back. The most recent time I
noticed that it stopped working on a Monday morning - implying perhaps
that something changed over a weekend.
I build the Kerberos libraries with optimization turned off so I could
step through, and what became clear was that the KVNO for the machine
account had changed - in AD the number was now 30, but the keytab had a
KVNO of 24. So it wasn't just one bump - there were several (the keys
were generated on 09/25/10).
At this point, I don't know *why* the kvno is changing. Right now I
have a script running that polls the KVNO every 5 minutes so I can see
exactly when the thing changes - once I have a time, I can start looking
at logs (both on the Linux box and perhaps even on the domain
controller). For that matter, I could probably shut down the Linux box
for a few weeks to see whether the KVNO bumps happen without the machine
being up or not.
Does anyone have anything else to suggest for what I should
be looking for?
-Eric
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
