[16612] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

kvno overflow

daemon@ATHENA.MIT.EDU (Jonathan Reams)
Mon Jan 31 15:12:04 2011

From: Jonathan Reams <jr3074@columbia.edu>
Date: Mon, 31 Jan 2011 15:11:59 -0500
Message-Id: <EF74BC0F-CB42-4A78-96F6-2A01D3797CD9@columbia.edu>
To: krbdev@mit.edu
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

It looks like there's a difference between how kvnos are handled in keytabs vs the principals database/kadmin. In order to monitor our iprop setup, we have a principal who's key gets added to a keytab once an hour, and when the kvno hit 257, it reset to 0 in the keytab, but not in kadmin. 

[root@doversole ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   0 iprop_monitor@CC.COLUMBIA.EDU
   0 iprop_monitor@CC.COLUMBIA.EDU
   0 iprop_monitor@CC.COLUMBIA.EDU
   0 iprop_monitor@CC.COLUMBIA.EDU

[root@doversole ~]# kadmin -p rjr3074
Authenticating as principal rjr3074 with password.
Password for rjr3074@CC.COLUMBIA.EDU: 
kadmin:  getprinc iprop_monitor
Principal: iprop_monitor@CC.COLUMBIA.EDU
Expiration date: [never]
Last password change: Mon Jan 31 12:01:01 EST 2011
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Jan 31 12:01:01 EST 2011 (iprop_monitor@CC.COLUMBIA.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 257, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 257, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 257, ArcFour with HMAC/md5, no salt
Key: vno 257, DES cbc mode with CRC-32, no salt

Looks like a bug to me. In the meantime, is there any way to reset the kvno in kadmin so the keytab and kadmin can be in sync again?

Jonathan Reams
Columbia University
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post