Home / server / Questions / 601270
Accepted
ixe013
Asked: 2014-06-03 10:00:22 +0800 CST

Retreive the current Kerberos KVNO from Active Directory

  • 772

I have a Kerberos problem with a Linux host connecting to a Windows KDC. I suspect that Kerberos key with the wrong version is to blame.

One way to be shure would be to delete the SPN and create it anew, but this is in a production environment and I must debug in "read-only", if you will.

How can I retreive the current Kerberos KVNO from a principal in Active Directory ?

linux

7 Answers

  1. With PowerShell's AD Cmdlets it's possible to query for kvno:

    PS> import-module ActiveDirectory
    ^^^ if this fails, find a Windows server where it is installed
PS> get-aduser <username> -property msDS-KeyVersionNumber
    • 8
  2. Best Answer

    I'm incredulous as to whether KVNO has anything to do with your problem, OK maybe with Linux clients, but anyway, use Wireshark/Network Monitor:

    kvno

    Key Version Numbers are described in MS-KILE section 3.1.5.8.

    By the way, Mathias R. Jessen is correct in that in that Windows typically ignores KVNOs. But they are still implemented in an RFC-complaint way.

    https://docs.microsoft.com/en-us/archive/blogs/openspecification/to-kvno-or-not-to-kvno-what-is-the-version

    No, Windows does not pay attention to KVNO. It simply ignores it.

    But the KVNO does have some significance in an RODC environment:

    https://docs.microsoft.com/en-us/archive/blogs/openspecification/notes-on-kerberos-kvno-in-windows-rodc-environment

    Some more info here: https://web.archive.org/web/20150204183217/http://support.microsoft.com/kb/2716037

    In an environment with one or more RODCs authentication may fail when interacting with certain MIT based Kerberos devices in one of the following scenarios.

    · The client is an MIT device which received a TGT from Windows KDC on RODC

    · The client passes a TGT generated by Windows KDC on RODC to MIT Device which in turn uses the TGT to request a TGS on behalf of the calling user.

    In both scenarios the TGT will have been issued by an RODC where the msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.

    • 7 
  3. dsquery * -filter sAMAccountName=Accountname -attr msDS-KeyVersionNumber
    • 5

  4. On linux you can use kvno command to retreive it from KDC

    [root@XXXX XXX]# kvno host/XXXX

host/[email protected]: kvno = 13
    • 4

  5. Query from a AD joined linux server:

    net ads search  -P  '(&(objectCategory=computer)(cn=HOSTNAME))'  msDS-KeyVersionNumber

    replace HOSTNAME with your hostname.

    • 3

  6. my team has had to work through this before and we found the following works on some Linux systems to get the KVNO number:

    adquery user $USER --dump | grep KeyVersionNumber

    Of course, you can replace the $USER with an actual user needed.

    • 0

  7. I don't know what your specific fix was for this problem, for me I found the another error mentioning pam couldn't work out the domain from the hostname. When I checked the /etc/hosts file wasn't consistent with the hostname set via hostnamectl.

    # Broken
127.0.0.1 hostname hostname.example.com
# Fixed
127.0.0.1 hostname.example.com hostname

    Would have thought this would have affected the problem, but it starting behaving after I set this.

    • 0