On Tue, Feb 08 2022 at 12:28:21 -0600, Matt Zagrabelny via Kerberos scribbled
in "Re: unexpected failure for GSS Pg server":
Based on the server-side logs from your initial post I would
completely agree with your recent thoughts.
To confirm the state of things there are two (or three) commands that
you will need to run, one on a client system, and one on the
postgresql server (and possibly, just for good measure, a third you
your master KDC):
* On a client run `kvno postgres/
db.exam...@EXAMPLE.COM`. This
should return the key version number of the
"postgres/db.example/com" principal as fetched from the KDC.
Going by the your quoted logs, I would expect this to be "3", at
least at the time you captured those logs.
* On the postgres server run
`klist -ek /etc/postgresql-common/krb5.keytab`. This should
provide output that looks something like the following:
Keytab name: FILE:/etc/postgresql-common/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------
2 postgres/
db.exam...@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 postgres/
db.exam...@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 postgres/
db.exam...@EXAMPLE.COM (arcfour-hmac)
which may have a different selection of keytypes for your keytab,
and possibly a different value in the KVNO column. I would
guess that at the time you captured the logs, the KVNO listed
would have been less than 3 (certainly should not be more, unless
something rather weird has happened).
* Optionally, you could also use `kadmin` to connect to your KDC,
and run the subcommand: `get_principal postgres/
db.example.com`.
This will also give you a list of the current kvno (for each
keytype), which should match the value from the first command you
ran on the client. More importantly or usefully though, it will
also list when it was "Last modified", and by whom, which may shed
light on why it has changed.
Armed with that information, the most likely solution would be to
extract a fresh keytab (using either the kadmin "ktadd" subcommand, or
the handy `k5srvutil` command).
One caveat however (and something that has caught many sysadmins out
at one time or another): If you're running a clustered system which is
attempting to use the same principal on more than one server, creating
a fresh keytab will increment the kvno in the KDC again, meaning it
will be out of date on any other system that may be using the
principal. In this case you'd have to copy the keytab to those
affected systems by hand.
> For now (before anyone spends any time on my initial request for
> help) I would say that I need to do more research and confirm that
> my process is working as expected.
>
> One request, where is the documentation that describes how/where the kvno
> is used between the kdc and principals?
It may appear a bit old, but the O'Reilly book is still a classic
resource for becoming familiar with Kerberos and how it functions.
Cheers.
Dameon.
--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Unix Platform Services
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><