service name? key versions?
mail at url.WORLDWIDEDNS.net
Tue Sep 10 15:32:28 EDT 2002
I believe I see my misunderstanding.
This also explains why gss-server/gss-client doesn't work on my client
machine after adding svc/host.abc.com to its keytab file. I was specifying
the same password as when I created the account.
I ftp'd the servers' keytab to my client and it worked fine.
This does bring a practical question to mind. Would I normally create a
keytab file with just the entry for a particular service and transfer it to
the service host? Does the admin keytab on the kdc need them for any
Thanks in advance
"Steve Langasek" <vorlon at dodds.net> wrote in message
news:20020910174107.GC948 at dodds.net...
> On Tue, Sep 10, 2002 at 11:54:25AM -0500, Rick wrote:
> > I'm new to kerberos and don't know why I'm having this problem.
> > # ktadmin.local
> > #addprinc -kvno 3 -pw user1 user1
> > #addprinc -kvno 3 -pw user2 user2
> > #addprinc -kvno 3 -pw service svc/host.abc.com
> > #ktadd -k /usr/..... keytab svc/host.abc.com
> > All this works fine. When I go to a client, this is what I get.
> > c:\kinit user1
> > this works fine
> > c:\kinit user2
> > this works fine
> > c:\kinit svc/host.abc.com
> > password incorrect while getting initial credentials.
> > ... and yes I typed it right.
> > #getprinc svc/host.abc.com
> > now shows the key version number to be 4. Why does ktadd change the key
> > version number. Is there a document somewhere which describes key
> > The installation and system admin guides don't really say anything about
> Because "ktadd" means "generate a new random key for this principal, and
> store this shared key in the specified keytab". If you run 'ktadd', the
> password changes -- you cannot use a principal in this manner and still
> use a password to request tickets for that principal.
> Steve Langasek
> postmodern programmer
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos