When does the (Vno in) host.keytab change? (4260685)

Key version number in a host.keytab file changes after a password change or rejoin.

1. Vno or Kvno (Key version number) helps distinguish between multiple keys associated with the same security principal, as would happen when the Principals password changes (i.e. key version number incremented by one). When a password is changed, it is possible that there are still tickets out to VAS service (host/<machine></machine>) which were generated from the old password.

VAS keeps any possibly valid passwords in its cache, for any ticket (i.e. credential cache with a service ticket) still existing for any of the previous passwords.

2. Doing a rejoin deletes the keytab and starts with a fresh one (and the DC increments the KVNO).

3. Also, every 30 days (by default) VAS will change the computer account password, and a new Vno will appear in the list (for every key).

Changing password results in new keys, along with the old keys (associated to the last password) being retained. This can be seen through a vastool ktutil list.

# vastool ktutil list
/etc/opt/quest/vas/host.keytab:

Vno Type Principal
18 arcfour-hmac-md5 host/suse10.cs-vas.ca@CS-VAS.CA
18 arcfour-hmac-md5 SUSE10$@CS-VAS.CA
18 arcfour-hmac-md5 cifs/suse10.cs-vas.ca@CS-VAS.CA
18 arcfour-hmac-md5 host/SUSE10@CS-VAS.CA

# vastool -u administrator passwd -r host/
Administrator@cs-vas.ca setting password for SUSE10$@CS-VAS.CA...
Password for Administrator@cs-vas.ca:
Saving new key in keytab file: /etc/opt/quest/vas/host.keytab
Password for SUSE10$@CS-VAS.CA was successfully set

# vastool ktutil list
/etc/opt/quest/vas/host.keytab:

Vno Type Principal
18 arcfour-hmac-md5 host/suse10.cs-vas.ca@CS-VAS.CA
18 arcfour-hmac-md5 SUSE10$@CS-VAS.CA
18 arcfour-hmac-md5 cifs/suse10.cs-vas.ca@CS-VAS.CA
18 arcfour-hmac-md5 host/SUSE10@CS-VAS.CA
19 arcfour-hmac-md5 SUSE10$@CS-VAS.CA
19 arcfour-hmac-md5 host/suse10.cs-vas.ca@CS-VAS.CA
19 arcfour-hmac-md5 cifs/suse10.cs-vas.ca@CS-VAS.CA
19 arcfour-hmac-md5 host/SUSE10@CS-VAS.CA