Fedora2/Apache2 and Key Version Error

Scott Moseman smoseman at novolink.net
Thu Aug 26 11:20:54 EDT 2004


We blew away all service accounts in AD (2003) and removed all of
the keytab files on the Fedora2 box.  Re-created two accounts for
host and http, re-created two keytabs for host and http, and moved
them onto the Fedora2/Apache2 box.

We used kutil to put both tickets into the /etc/krb5.keytab file.
We used kinit and verified -my- account and both service accounts.
All of them authenticated just fine.

Using KerbTray, we do get the HTTP ticket from Apache2 now, but we
get:  (Key version number for principal in key table is incorrect).

Thanks,
Scott Moseman


-----Original Message-----
From: Nebergall, Christopher [mailto:cneberg at sandia.gov] 
Sent: Wednesday, August 25, 2004 3:52 PM
To: 'Scott Moseman'; kerberos at MIT.EDU
Subject: RE: Fedora2/Apache2 and Key Version Error

gss_accept_sec_context() failed: Miscellaneous failure
> (Key version number for principal in key table is incorrect)

The key in your keytab file does not match the key that the Active
Directory
has for the server principal or you have changed the key multiple times
recently IE is using an older version of the key which it will cache
till it
expires.

-Christopher



More information about the Kerberos mailing list