Fedora2/Apache2 and Key Version Error

Scott Moseman smoseman at novolink.net
Thu Aug 26 14:54:22 EDT 2004 

We have found the solution to this problem!
PS- Christopher, thanks for your assistance!

The problem was in the syntax of the "ktpass" command.
Apparently if you use "-pass *" and prompt for the password,
which most documentation we followed provided, the KVNO
is changed in the 2003 ActiveDirectory.  By using the syntax of
"-pass password" and not prompting for it, the KVNO was ok.

For whatever reason, on a 2003 domain, when using "-pass *",
it would reset/change the KeyNumber in the AD after the key is
already processed (so the values did not match).  However, with
the "-pass password" hardcoded on the command line, it works.

Thank you, again, Christopher for the help you were providing.

Thanks,
Scott Moseman



""Nebergall, Christopher"" <cneberg at sandia.gov> wrote:
>
> Use the kvno utility to check the version number according to AD.
>
> Use klist -k /path/to/keytab to check its version numbers.
>
> You can use ktpass.exe with the /kvno number option to set the
> keytab number when you create the keytab.
>
> You should be able to get all of the version numbers matched up.
>
> -Christopher
>
> -----Original Message-----
> From: Scott Moseman [mailto:smoseman at novolink.net]
> Sent: Thursday, August 26, 2004 9:21 AM
> To: 'Nebergall, Christopher'; kerberos at MIT.EDU
> Subject: RE: Fedora2/Apache2 and Key Version Error
>
>
> We blew away all service accounts in AD (2003) and removed all of
> the keytab files on the Fedora2 box.  Re-created two accounts for
> host and http, re-created two keytabs for host and http, and moved
> them onto the Fedora2/Apache2 box.
>
> We used kutil to put both tickets into the /etc/krb5.keytab file.
> We used kinit and verified -my- account and both service accounts.
> All of them authenticated just fine.
>
> Using KerbTray, we do get the HTTP ticket from Apache2 now, but we
> get:  (Key version number for principal in key table is incorrect).
>
> Thanks,
> Scott Moseman
>
>
> -----Original Message-----
> From: Nebergall, Christopher [mailto:cneberg at sandia.gov]
> Sent: Wednesday, August 25, 2004 3:52 PM
> To: 'Scott Moseman'; kerberos at MIT.EDU
> Subject: RE: Fedora2/Apache2 and Key Version Error
>
> gss_accept_sec_context() failed: Miscellaneous failure
> > (Key version number for principal in key table is incorrect)
>
> The key in your keytab file does not match the key that the Active
> Directory
> has for the server principal or you have changed the key multiple times
> recently IE is using an older version of the key which it will cache
> till it
> expires.
>
> -Christopher
>

More information about the Kerberos mailing list