15853 – Winbind does not set correct KVNO in system keytab after wbinfo --change-secret

Bug 15853 - Winbind does not set correct KVNO in system keytab after wbinfo --change-secret

Summary: Winbind does not set correct KVNO in system keytab after wbinfo --change-secret

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.21.5
Hardware:	All Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-23 19:21 UTC by Luca Cavana
Modified:	2025-04-23 19:21 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luca Cavana 2025-04-23 19:21:28 UTC

When winbind rotates the secrets in Active Directory either via planned rotation or by manually calling the command "wbinfo --change-secret", the KVNO in system keytab at /etc/krb5.keytab and the AD attribute msDS-KeyVersionNumber are not set correctly.

It looks like the KVNO in the system keytab always lags one increment behind (eg, where Active Directory reports msDS-KeyVersionNumber = 18, the system keytab have at maximum KVNO 17).

I'm using the defaults of secrets only and
sync machine password to keytab = /etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password

The workaround is to join the machine again (e.g. by using realmd and --do-not-touch-config option), until winbind does rotate the keytab again.

The environment is a standard Windows Server 2022 AD DS with 2016 Functional Level.