kerberos (AD): kvno is hardcoded as 0

[nightkr]

Affected Stackable version

24.11.1, secret-operator 0.0.0-pr552

Current and expected behavior

Currently, our AD keytab generator always uses the hardcoded kvno=0. However, some applications refuse to authenticate if the keytab's kvno does not match the kvno of the ticket from the KDC.

For example, kafka-exporter fails to authenticate with the following error message:

F0131 10:44:45.535910      21 kafka_exporter.go:924] Error Init Kafka Client: kafka: client has run out of available brokers to talk to: [Root cause: Decrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid or client password/keytab incorrect < Decrypting_Error: error decrypting EncPart of AS_REP < Decrypting_Error: error decrypting AS_REP encrypted part: matching key not found in keytab. Looking for "kexp2/kexp2.stackable-products.svc.cluster.local" realm: SBLE.TEST kvno: 1 etype: 18

with the following keytab:

Keytab name: FILE:keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   0 01/31/2025 11:44:23 kexp2/[email protected] (aes256-cts-hmac-sha1-96)

Possible solution

We should pull the current KVNO from LDAP: https://serverfault.com/a/869870/88628

Ideally we should associate each cache entry with its KVNO rather than pulling the current KVNO at keytab-building-time.

Additional context

kafka_exporter, version 1.8.0

Environment

AD installed via https://github.com/stackabletech/ad-init

Would you like to work on fixing this bug?

None