Why is my sshd looking for a wrong kvno in keytab?

Question

My FreeBSD box is using Heimdal Kerberos-implementation. It is registered with the corporate AD, its msDS-KeyVersionNumber-attribute is set to 2, and its keytab has the following entries:

FILE:/etc/krb5.keytab:

Vno  Type                     Principal                                 Aliases
  2  aes256-cts-hmac-sha1-96  OROLO$@EXAMPLE.NET                       
  2  aes128-cts-hmac-sha1-96  OROLO$@EXAMPLE.NET                       
  2  des3-cbc-sha1            OROLO$@EXAMPLE.NET                       
  2  arcfour-hmac-md5         OROLO$@EXAMPLE.NET                       
  2  des-cbc-md5              OROLO$@EXAMPLE.NET                       
  2  des-cbc-crc              OROLO$@EXAMPLE.NET                       
  2  aes256-cts-hmac-sha1-96  host/orolo.dyn.example.net@EXAMPLE.NET  
  2  aes128-cts-hmac-sha1-96  host/orolo.dyn.example.net@EXAMPLE.NET  
  2  des3-cbc-sha1            host/orolo.dyn.example.net@EXAMPLE.NET  
  2  arcfour-hmac-md5         host/orolo.dyn.example.net@EXAMPLE.NET  
  2  des-cbc-md5              host/orolo.dyn.example.net@EXAMPLE.NET  
  2  des-cbc-crc              host/orolo.dyn.example.net@EXAMPLE.NET  
  2  aes256-cts-hmac-sha1-96  nfs/OROLO@EXAMPLE.NET                    
  2  aes128-cts-hmac-sha1-96  nfs/OROLO@EXAMPLE.NET                    
  2  des3-cbc-sha1            nfs/OROLO@EXAMPLE.NET                    
  2  arcfour-hmac-md5         nfs/OROLO@EXAMPLE.NET                    
  2  des-cbc-md5              nfs/OROLO@EXAMPLE.NET                    
  2  des-cbc-crc              nfs/OROLO@EXAMPLE.NET                    
  2  aes256-cts-hmac-sha1-96  nfs/orolo.dyn.example.net@EXAMPLE.NET   
  2  aes128-cts-hmac-sha1-96  nfs/orolo.dyn.example.net@EXAMPLE.NET   
  2  des3-cbc-sha1            nfs/orolo.dyn.example.net@EXAMPLE.NET   
  2  arcfour-hmac-md5         nfs/orolo.dyn.example.net@EXAMPLE.NET   
  2  des-cbc-md5              nfs/orolo.dyn.example.net@EXAMPLE.NET   
  2  des-cbc-crc              nfs/orolo.dyn.example.net@EXAMPLE.NET   
  2  aes256-cts-hmac-sha1-96  http/OROLO@EXAMPLE.NET                   
  2  aes128-cts-hmac-sha1-96  http/OROLO@EXAMPLE.NET                   
  2  des3-cbc-sha1            http/OROLO@EXAMPLE.NET                   
  2  arcfour-hmac-md5         http/OROLO@EXAMPLE.NET                   
  2  des-cbc-md5              http/OROLO@EXAMPLE.NET                   
  2  des-cbc-crc              http/OROLO@EXAMPLE.NET                   
  2  aes256-cts-hmac-sha1-96  http/orolo.dyn.example.net@EXAMPLE.NET
  2  aes128-cts-hmac-sha1-96  http/orolo.dyn.example.net@EXAMPLE.NET  
  2  des3-cbc-sha1            http/orolo.dyn.example.net@EXAMPLE.NET  
  2  arcfour-hmac-md5         http/orolo.dyn.example.net@EXAMPLE.NET  
  2  des-cbc-md5              http/orolo.dyn.example.net@EXAMPLE.NET  
  2  des-cbc-crc              http/orolo.dyn.example.net@EXAMPLE.NET  
  2  aes256-cts-hmac-sha1-96  ftp/OROLO@EXAMPLE.NET                    
  2  aes128-cts-hmac-sha1-96  ftp/OROLO@EXAMPLE.NET                    
  2  des3-cbc-sha1            ftp/OROLO@EXAMPLE.NET                    
  2  arcfour-hmac-md5         ftp/OROLO@EXAMPLE.NET                    
  2  des-cbc-md5              ftp/OROLO@EXAMPLE.NET                    
  2  des-cbc-crc              ftp/OROLO@EXAMPLE.NET                    
  2  aes256-cts-hmac-sha1-96  ftp/orolo.dyn.example.net@EXAMPLE.NET   
  2  aes128-cts-hmac-sha1-96  ftp/orolo.dyn.example.net@EXAMPLE.NET   
  2  des3-cbc-sha1            ftp/orolo.dyn.example.net@EXAMPLE.NET   
  2  arcfour-hmac-md5         ftp/orolo.dyn.example.net@EXAMPLE.NET   
  2  des-cbc-md5              ftp/orolo.dyn.example.net@EXAMPLE.NET   
  2  des-cbc-crc              ftp/orolo.dyn.example.net@EXAMPLE.NET   
  2  aes256-cts-hmac-sha1-96  cifs/OROLO@EXAMPLE.NET                   
  2  aes128-cts-hmac-sha1-96  cifs/OROLO@EXAMPLE.NET                   
  2  des3-cbc-sha1            cifs/OROLO@EXAMPLE.NET                   
  2  arcfour-hmac-md5         cifs/OROLO@EXAMPLE.NET                   
  2  des-cbc-md5              cifs/OROLO@EXAMPLE.NET                   
  2  des-cbc-crc              cifs/OROLO@EXAMPLE.NET                   
  2  aes256-cts-hmac-sha1-96  cifs/orolo.dyn.example.net@EXAMPLE.NET  
  2  aes128-cts-hmac-sha1-96  cifs/orolo.dyn.example.net@EXAMPLE.NET  
  2  des3-cbc-sha1            cifs/orolo.dyn.example.net@EXAMPLE.NET  
  2  arcfour-hmac-md5         cifs/orolo.dyn.example.net@EXAMPLE.NET  
  2  des-cbc-md5              cifs/orolo.dyn.example.net@EXAMPLE.NET  
  2  des-cbc-crc              cifs/orolo.dyn.example.net@EXAMPLE.NET

However, attempts to login with GSSAPI-authentication from other hosts fails. Running sshd with the -d option, I see the following error-message:

Failed to find host/orolo.dyn.example.net@EXAMPLE.NET(kvno 10) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)

Why is it looking for kvno 10 instead of 2?

Just a quick comment as I'm on mobile at the moment. Are you running samba or win bind that actively refresh the Kerberos keys and/or regularly reset the AD computer account password? Because that would increase the KVNO in AD. On other hosts a service ticket would be optioned from AD with only the most recent KVNO 10 where your key tab file hasn't been updated with those. — HBruijn, Jun 24 '16 at 06:50
No, not running Samba or anything here. The keytab listed in my question was recently generated using [adcli](https://www.freedesktop.org/software/realmd/adcli/adcli.html). Thanks! — Mikhail T., Jun 24 '16 at 14:42

Why is my sshd looking for a wrong kvno in keytab?

0 Answers0