HPE Community
Operating System - HP-UX
1753309 Members
6506 Online
108792 Solutions
New Discussion

Kerberos - KVNO mismatch immediately after joining AD domain

 
stewart_m
Occasional Visitor

‎04-30-2013 01:44 AM - edited ‎04-30-2013 01:46 AM

‎04-30-2013 01:44 AM - edited ‎04-30-2013 01:46 AM

Kerberos - KVNO mismatch immediately after joining AD domain

Starting Config

  • HPUX 11.31
  • LDAP-UX authentication for login against AD is working fine
  • Active Directory - Forest Functionality 2000 (running on a number of 2003/2008 DC's)


Problem

We currently have SSO working for SSH sessions on our HPUX estate, authenticated against AD. On a number of systems, we also need to enable AD authentication for Samba. As such we are following HP CIFS Server & Kerberos, to reconfigure the servers to allow this. The process described in this document, ultimately works and results in the configuration we are looking for, however we have run into a problem during this process.

At a high level, as per the doc we:

  • Delete the existing user account for the machine, as created during LDAP-UX setup from AD
  • Delete the existing /etc/krb5.conf on the HPUX system
  • Use `net ads join ...` to cause the Samba 'net' command to create a full machine account within AD
  • Modify the object created within in AD enable the 'USE_DES_KEY_ONLY' attribute (required for the SSH logins to work)
  • Use `net ads keytab create ...` to generate a fresh /etc/krb5.conf on the HPUX system, with the necessary keys for Samba


This is the point that we run into the problem. The Key Version Number within the freshly created keytab is out of sync with the KVNO in AD, meaning attempts to login into the box using an AD based account fail:

"[Key version number for principal in key table is incorrect]" (syslog.log)

although the Samba shares authenticate OK. The symptoms are confirmed by following the diags steps contained in Key Version in key table incorrect.

For up to an hour, rerunning the command to regenerate the keytab on the HPUX side results in the same problem. After approximately an hour, recreating the keytab results in the KVNO being in sync and from there everything works fine. Whilst ultimately we do get the system working, an hour is a long time to have our LDAP enabled logins broken on our live systems.

I am presuming there is some sync delay in the system somewhere, but so far I am struggling to track down a way to avoid it. I have confirmed that the AD DC we are interacting with from the HPUX system, has a current version of the machine account (by checkig that the USE_DES_KEY_ONLY attribute is present) and have also tried running a `kdestroy` & then `kinit ...` directly before running `net ads keytab create ...` but the problem remains.

I had started to wonder if the AD will only serve the most current KVNO once all member DC's are in sync, but running ` kvno host/hostA.subdomain.com` always produces the current KVNO throughout.

Does anybody have any suggestions as to the source of the delay or a way to avoid it?

Many thanks.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.