Richard Smits
2010-04-19 06:41:11 UTC
Hello,
I have posted this question also on the samba mailinglist, but no
answers there. I know this question is maybe more samba then nfs4
related, but my client is depending on krb5/nfs4, so I am hoping someone
here will know any answers.
We have clients running Fedora 11. They are running samba and winbind
version 3.4.2.0.42.
samba-winbind-3.4.2-0.42.fc11.x86_64
samba-3.4.2-0.42.fc11.x86_64
samba-common-3.4.2-0.42.fc11.x86_64
Our KDC is our Windows 2008 AD.
Our problem is that the KVNO (Key Version Number) AD attribute :
msDS-KeyVersionNumber keeps changing and is getting higher and higher.
We are at 16 now and counting.
The problem is that I have to recreate a new keytab file because our
clients are also using a nfs4/krb5 mount on another server.
When the version is higher than local in the keytab, the krb5 security
will not work anymore.
I have talked to the Windows sysadmins and the say that the password for
a computer object is changed every 30 days, but my experience is that
the key is increased every couple of days it seems.
But the strange thing is that this is not for every computer object.
There are also linux servers with AD computer objects that still have
version 2 ? How is this possible ? This is a mystery for me.
The other servers are using pam_winbind. Could that be the reason why
the number will not increase in their case ?
I hope to get some hints why this keeps happening.
Greetings .. Richard
I have posted this question also on the samba mailinglist, but no
answers there. I know this question is maybe more samba then nfs4
related, but my client is depending on krb5/nfs4, so I am hoping someone
here will know any answers.
We have clients running Fedora 11. They are running samba and winbind
version 3.4.2.0.42.
samba-winbind-3.4.2-0.42.fc11.x86_64
samba-3.4.2-0.42.fc11.x86_64
samba-common-3.4.2-0.42.fc11.x86_64
Our KDC is our Windows 2008 AD.
Our problem is that the KVNO (Key Version Number) AD attribute :
msDS-KeyVersionNumber keeps changing and is getting higher and higher.
We are at 16 now and counting.
The problem is that I have to recreate a new keytab file because our
clients are also using a nfs4/krb5 mount on another server.
When the version is higher than local in the keytab, the krb5 security
will not work anymore.
I have talked to the Windows sysadmins and the say that the password for
a computer object is changed every 30 days, but my experience is that
the key is increased every couple of days it seems.
But the strange thing is that this is not for every computer object.
There are also linux servers with AD computer objects that still have
version 2 ? How is this possible ? This is a mystery for me.
The other servers are using pam_winbind. Could that be the reason why
the number will not increase in their case ?
I hope to get some hints why this keeps happening.
Greetings .. Richard