service name? key versions?

[Rick]

I believe I see my misunderstanding.

This also explains why gss-server/gss-client doesn't work on my client
machine after adding svc/host.abc.com to its keytab file.  I was specifying
the same password as when I created the account.

I ftp'd the servers' keytab to my client and it worked fine.

This does bring a practical question to mind.  Would I normally create a
keytab file with just the entry for a particular service and transfer it to
the service host?  Does the admin keytab on the kdc need them for any
reason?

Thanks in advance






"Steve Langasek" <vorlon at dodds.net> wrote in message
news:20020910174107.GC948 at dodds.net...
> On Tue, Sep 10, 2002 at 11:54:25AM -0500, Rick wrote:
> > I'm new to kerberos and don't know why I'm having this problem.
>
> > # ktadmin.local
> > #addprinc -kvno 3 -pw user1 user1
> > #addprinc -kvno 3 -pw user2 user2
> > #addprinc -kvno 3 -pw service svc/host.abc.com
> > #ktadd -k /usr/..... keytab svc/host.abc.com
>
> > All this works fine.  When I go to a client, this is what I get.
>
> > c:\kinit user1
> > this works fine
>
> > c:\kinit user2
> > this works fine
>
> > c:\kinit svc/host.abc.com
> > password incorrect while getting initial credentials.
>
> > ... and yes I typed it right.
>
> > #getprinc svc/host.abc.com
>
> > now shows the key version number to be 4.  Why does ktadd change the key
> > version number.  Is there a document somewhere which describes key
versions.
> > The installation and system admin guides don't really say anything about
it.
>
> Because "ktadd" means "generate a new random key for this principal, and
> store this shared key in the specified keytab".  If you run 'ktadd', the
> password changes -- you cannot use a principal in this manner and still
> use a password to request tickets for that principal.
>
> Steve Langasek
> postmodern programmer
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>