WindowsXP/Solaris : incorrect key version number
Jacques Lebastard
Jacques.Lebastard at evidian.com
Wed Oct 6 12:47:22 EDT 2004
Douglas E. Engert wrote:
>
>
> Jacques Lebastard wrote:
>
>>
>> Hi there,
>>
>> a few days ago, I succeeded in running a SSPI/GSS-API client/server
>> program between an XP workstation and a Solaris server. The server's
>> keytab was generated using Windows 'ktpass' tool.
>
>
> Windows 2000 AD did not handle the kvno correctly and always used
> 1 or 0. 2003 does increment it each time it is changed. So you may
> have changed the number.
>
> Also when you use the ktpass, 2003 will update the password and kvno.
The last keytab generated by ktpass used kvno 10 for account's
principal. Even though the server does use that keytab,
gss_accept_sec_context fails.
Could it be that Windows SSPI keeps previous service tickets somewhere
in caches with the previous kvno ? Is the kvno visible when using
asn1dump on the GSS-API token ?
> If you have the MIT kerberos, you can verify the kvno in the AD
> by using kvno cvs/<hostname>@<realm> on the Solaris system.
Nope : "Solaris 9 kerberos" is in use.
> You can also get the kvno value by looking up the value of the
> "msDS-KeyVersionNumber" attribute of the account in Windows 2003 AD.
According to the AD schema, this attribute may be part of a
securityPrincipal object. However, I cannot find any such object using
LDAP browsers !
--
Mr. Jacques LEBASTARD mailto:jacques.lebastard at evidian.com
EVIDIAN S.A. www.evidian.com
Rue Jean Jaurès Tel: +33 1 30 80 77 86
F-78340 LES CLAYES SOUS BOIS Fax: +33 1 30 80 77 99
More information about the Kerberos
mailing list