- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Kerberos - KVNO mismatch immediately after joining...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2013 01:44 AM - edited 04-30-2013 01:46 AM
04-30-2013 01:44 AM - edited 04-30-2013 01:46 AM
Kerberos - KVNO mismatch immediately after joining AD domain
Starting Config
- HPUX 11.31
- LDAP-UX authentication for login against AD is working fine
- Active Directory - Forest Functionality 2000 (running on a number of 2003/2008 DC's)
Problem
We currently have SSO working for SSH sessions on our HPUX estate, authenticated against AD. On a number of systems, we also need to enable AD authentication for Samba. As such we are following HP CIFS Server & Kerberos, to reconfigure the servers to allow this. The process described in this document, ultimately works and results in the configuration we are looking for, however we have run into a problem during this process.
At a high level, as per the doc we:
- Delete the existing user account for the machine, as created during LDAP-UX setup from AD
- Delete the existing /etc/krb5.conf on the HPUX system
- Use `net ads join ...` to cause the Samba 'net' command to create a full machine account within AD
- Modify the object created within in AD enable the 'USE_DES_KEY_ONLY' attribute (required for the SSH logins to work)
- Use `net ads keytab create ...` to generate a fresh /etc/krb5.conf on the HPUX system, with the necessary keys for Samba
This is the point that we run into the problem. The Key Version Number within the freshly created keytab is out of sync with the KVNO in AD, meaning attempts to login into the box using an AD based account fail:
"[Key version number for principal in key table is incorrect]" (syslog.log)
although the Samba shares authenticate OK. The symptoms are confirmed by following the diags steps contained in Key Version in key table incorrect.
For up to an hour, rerunning the command to regenerate the keytab on the HPUX side results in the same problem. After approximately an hour, recreating the keytab results in the KVNO being in sync and from there everything works fine. Whilst ultimately we do get the system working, an hour is a long time to have our LDAP enabled logins broken on our live systems.
I am presuming there is some sync delay in the system somewhere, but so far I am struggling to track down a way to avoid it. I have confirmed that the AD DC we are interacting with from the HPUX system, has a current version of the machine account (by checkig that the USE_DES_KEY_ONLY attribute is present) and have also tried running a `kdestroy` & then `kinit ...` directly before running `net ads keytab create ...` but the problem remains.
I had started to wonder if the AD will only serve the most current KVNO once all member DC's are in sync, but running ` kvno host/hostA.subdomain.com` always produces the current KVNO throughout.
Does anybody have any suggestions as to the source of the delay or a way to avoid it?
Many thanks.