Retreive the current Kerberos KVNO from Active Directory

Question

I have a Kerberos problem with a Linux host connecting to a Windows KDC. I suspect that Kerberos key with the wrong version is to blame.

One way to be shure would be to delete the SPN and create it anew, but this is in a production environment and I must debug in "read-only", if you will.

How can I retreive the current Kerberos KVNO from a principal in Active Directory ?

The Windows implementation of Kerberos V5 ignores the `KVNO` value, and simply tries to use the 2 known secrets (current and previous) it has available to decrypt requests. It simply doesn't matter — Mathias R. Jessen, Jun 02 '14 at 18:18
I forgot to mention the client is Linux. Active Directory must be holding it, since it increments it each time ktpass is called. — ixe013, Jun 02 '14 at 18:38
All the same, if the KDC is Windows, it still doesn't matter — Mathias R. Jessen, Jun 02 '14 at 18:40
The kvno is crucial for sssd. If they do not match you'll see this in /var/log/sssd/krb5_child.log (on ubuntu 16.04) `Cannot find key for kvno in keytab`. The KDC is Windows in this case. — Bill Ryder, Sep 21 '17 at 21:52
@MathiasR.Jessen, the question clearly states that the client is Linux, where kvno very much does matter. What Windows systems do is interesting, but does not answer the question. — Medievalist, Feb 03 '20 at 16:31
@Medievalist If you observe the timestamps you'll find that OP edited the question _after_ my initial comment :) — Mathias R. Jessen, Feb 03 '20 at 16:41

score 10 · Answer 1 · edited Aug 23 '21 at 23:58

10

With PowerShell's AD Cmdlets it's possible to query for kvno:

PS> import-module ActiveDirectory
    ^^^ if this fails, find a Windows server where it is installed
PS> get-aduser <username> -property msDS-KeyVersionNumber

edited Aug 23 '21 at 23:58

kevinarpe

191
10

answered Aug 22 '17 at 11:36

plaes

347
5
10

4

If it's a machine trust account you need "get-adcomputer" but otherwise it's the same syntax. get-adcomputer -property msDS-KeyVersionNumber – Medievalist Feb 03 '20 at 16:28

score 7 · Accepted Answer · edited Oct 16 '20 at 10:49

~~I'm incredulous as to whether KVNO has anything to do with your problem~~, OK maybe with Linux clients, but anyway, use Wireshark/Network Monitor:

kvno

Key Version Numbers are described in MS-KILE section 3.1.5.8.

By the way, Mathias R. Jessen is correct in that in that Windows typically ignores KVNOs. But they are still implemented in an RFC-complaint way.

https://docs.microsoft.com/en-us/archive/blogs/openspecification/to-kvno-or-not-to-kvno-what-is-the-version

No, Windows does not pay attention to KVNO. It simply ignores it.

But the KVNO does have some significance in an RODC environment:

https://docs.microsoft.com/en-us/archive/blogs/openspecification/notes-on-kerberos-kvno-in-windows-rodc-environment

Some more info here: https://web.archive.org/web/20150204183217/http://support.microsoft.com/kb/2716037

In an environment with one or more RODCs authentication may fail when interacting with certain MIT based Kerberos devices in one of the following scenarios.

· The client is an MIT device which received a TGT from Windows KDC on RODC

· The client passes a TGT generated by Windows KDC on RODC to MIT Device which in turn uses the TGT to request a TGS on behalf of the calling user.

In both scenarios the TGT will have been issued by an RODC where the msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.

Thanks for you answer. The problem turned out to be irrelevant with the key version. But your answer is "accept" worthy, by large ! — ixe013, Jun 04 '14 at 14:36

score 6 · Answer 3 · edited Jan 16 '17 at 14:49

6

dsquery * -filter sAMAccountName=Accountname -attr msDS-KeyVersionNumber

edited Jan 16 '17 at 14:49

Mathias R. Jessen

25,161
4
63
95

answered May 12 '16 at 11:02

MontxoMD

61
1
2

6

Please add some more details ... – Pierre.Vriens May 12 '16 at 12:50

score 4 · Answer 4 · answered Jul 01 '15 at 13:55

4

On linux you can use kvno command to retreive it from KDC

[root@XXXX XXX]# kvno host/XXXX

host/XXXX@TEST.COM: kvno = 13

answered Jul 01 '15 at 13:55

nerocide

41
1

4

This only queries the locally cached credentials. I have had plenty of cases where it returns an outdated kvno - and /var/log/sssd/krb5_child.log told me what the actual version number should be in error messages. – Bill Ryder Sep 21 '17 at 21:48

score 3 · Answer 5 · answered Nov 08 '17 at 12:59

3

Query from a AD joined linux server:

net ads search  -P  '(&(objectCategory=computer)(cn=HOSTNAME))'  msDS-KeyVersionNumber

replace HOSTNAME with your hostname.

answered Nov 08 '17 at 12:59

st0ne

131
2

score 0 · Answer 6 · edited Jun 15 '21 at 15:33

0

my team has had to work through this before and we found the following works on some Linux systems to get the KVNO number:

adquery user $USER --dump | grep KeyVersionNumber

Of course, you can replace the $USER with an actual user needed.

edited Jun 15 '21 at 15:33

bjoster

4,805
5
25
33

answered Jun 14 '21 at 18:28

Engineering Team

1

score 0 · Answer 7 · answered Feb 11 '22 at 15:43

I don't know what your specific fix was for this problem, for me I found the another error mentioning pam couldn't work out the domain from the hostname. When I checked the /etc/hosts file wasn't consistent with the hostname set via hostnamectl.

# Broken
127.0.0.1 hostname hostname.example.com
# Fixed
127.0.0.1 hostname.example.com hostname

Would have thought this would have affected the problem, but it starting behaving after I set this.

Retreive the current Kerberos KVNO from Active Directory

7 Answers7