Fedora2/Apache2 and Key Version Error

Scott Moseman smoseman at novolink.net
Thu Aug 26 12:37:20 EDT 2004 

We are having some problems getting 2003 AD to sync the KVNOs.
We are using ADSI Edit and looking at the msDS-KeyVersionNumber
field to see the AD version.  We are assuming that is a correct method?

When we got back to the key version error, we had "KVNO 3" on the
keytabs on Red Hat.  And both the KeyVersions in AD were 4.  So we
blew away the accounts and keytabs, re-create them using -kvno 4, and
we noticed the KeyVersions in AD were higher (6 and 7).

Confused... we blew away the accounts again.  Re-created both of them.
Used ADSI Edit to check what KeyVersion they were given.  Re-created
the keys using ktpass and the same KeyVersion as about (now both are 3).
Checked in ADSI Edit again and the KeyVersions were both 4, while we
just created keys using "KVNO 3".

Are we looking in the wrong spot for the KVNO version in AD?
Assuming yes, we're stumped as to how we can "match" them up!

Thanks,
Scott Moseman



""Nebergall, Christopher"" <cneberg at sandia.gov> wrote:
>
> Use the kvno utility to check the version number according to AD.
>
> Use klist -k /path/to/keytab to check its version numbers.
>
> You can use ktpass.exe with the /kvno number option to set the
> keytab number when you create the keytab.
>
> You should be able to get all of the version numbers matched up.
>
> -Christopher
>
> -----Original Message-----
> From: Scott Moseman [mailto:smoseman at novolink.net]
> Sent: Thursday, August 26, 2004 9:21 AM
> To: 'Nebergall, Christopher'; kerberos at MIT.EDU
> Subject: RE: Fedora2/Apache2 and Key Version Error
>
>
> We blew away all service accounts in AD (2003) and removed all of
> the keytab files on the Fedora2 box.  Re-created two accounts for
> host and http, re-created two keytabs for host and http, and moved
> them onto the Fedora2/Apache2 box.
>
> We used kutil to put both tickets into the /etc/krb5.keytab file.
> We used kinit and verified -my- account and both service accounts.
> All of them authenticated just fine.
>
> Using KerbTray, we do get the HTTP ticket from Apache2 now, but we
> get:  (Key version number for principal in key table is incorrect).
>
> Thanks,
> Scott Moseman
>
>
> -----Original Message-----
> From: Nebergall, Christopher [mailto:cneberg at sandia.gov]
> Sent: Wednesday, August 25, 2004 3:52 PM
> To: 'Scott Moseman'; kerberos at MIT.EDU
> Subject: RE: Fedora2/Apache2 and Key Version Error
>
> gss_accept_sec_context() failed: Miscellaneous failure
> > (Key version number for principal in key table is incorrect)
>
> The key in your keytab file does not match the key that the Active
> Directory has for the server principal or you have changed the key
> multiple times recently IE is using an older version of the key which
> it will cache till it expires.
>
> -Christopher
>

More information about the Kerberos mailing list