service name? key versions?

Rick mail at
Tue Sep 10 15:32:28 EDT 2002

I believe I see my misunderstanding.

This also explains why gss-server/gss-client doesn't work on my client
machine after adding svc/ to its keytab file.  I was specifying
the same password as when I created the account.

I ftp'd the servers' keytab to my client and it worked fine.

This does bring a practical question to mind.  Would I normally create a
keytab file with just the entry for a particular service and transfer it to
the service host?  Does the admin keytab on the kdc need them for any

Thanks in advance

"Steve Langasek" <vorlon at> wrote in message
news:20020910174107.GC948 at
> On Tue, Sep 10, 2002 at 11:54:25AM -0500, Rick wrote:
> > I'm new to kerberos and don't know why I'm having this problem.
> > # ktadmin.local
> > #addprinc -kvno 3 -pw user1 user1
> > #addprinc -kvno 3 -pw user2 user2
> > #addprinc -kvno 3 -pw service svc/
> > #ktadd -k /usr/..... keytab svc/
> > All this works fine.  When I go to a client, this is what I get.
> > c:\kinit user1
> > this works fine
> > c:\kinit user2
> > this works fine
> > c:\kinit svc/
> > password incorrect while getting initial credentials.
> > ... and yes I typed it right.
> > #getprinc svc/
> > now shows the key version number to be 4.  Why does ktadd change the key
> > version number.  Is there a document somewhere which describes key
> > The installation and system admin guides don't really say anything about
> Because "ktadd" means "generate a new random key for this principal, and
> store this shared key in the specified keytab".  If you run 'ktadd', the
> password changes -- you cannot use a principal in this manner and still
> use a password to request tickets for that principal.
> Steve Langasek
> postmodern programmer
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list