Windows 2003 and kvno in tickets
Douglas E. Engert
deengert at anl.gov
Thu Jan 15 10:06:08 EST 2004
I was hoping someone knew how the Windows admin could find the kvno in AD.
The MS 2000 ktpass -kvno says you can add it, but it is not clear if this
updates the AD or is only used to create a keytab file. Our Windows
admins says the 2003 ktpass is not out yet.
The MIT kvno shows the keys, but that is from the client side.
Jeffrey Hutzelman wrote:
>
> On Wednesday, January 14, 2004 16:22:09 -0600 "Douglas E. Engert"
> <deengert at anl.gov> wrote:
>
> >
> > We recently upgraded one of our Windows AD servers to 2003. We have a
> > number of service principals registered in AD which are for services run
> > on UNIX. Some users where having problems using these services.
> >
> > It appears that 2003 AD now supports key version numbers in tickets. The
> > upgraded server is issuing tickets with kvnos other then zero, while the
> > others are always using zero.
> >
> > It is not clear where it got the kvno to use, as the entries where all
> > added prior to the upgrade, and I don't recall entring in these kvnos in
> > the ktpass command when we defined these principals.
> >
> > We have not found the AD command to look at what kvno is in the AD.
> > Anyone know the command?
>
> No, but you should be able to use 'kvno' or 'kgetcred' followed by 'klist
> -v' to get a service ticket and display the kvno used in that ticket.
I don't see in the MIT klist code a -v. Is that Hiemdal?
>
> -- Jeff
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list