Key version number for principal in key table is incorrect -

Jeffrey Altman jaltman2 at nyc.rr.com
Wed Dec 21 11:51:20 EST 2005


Please learn to properly quote messages from other people.

sandypossible at gmail.com wrote:
> Hi ,
> 
> There should be no reason why you want or need to restrict the
> enctypes in a krb5.conf file.   Doing so will only create a severe
> maintenance problem once you realize that DES encryption is too weak
> for continued use.
>>> Do you mean that there is no need to specify the default_xxx_enctypes in conf file ?
> Could you please confirm ?

confirmed.

> 
>  What command line did you use?
>>> c:\>ktpass -princ sample/linux.kerb.com at KERB.COM -mapuser sample -pass <password>  -out sample.keytab
> 
> This is because you did not specify the correct kvno value when you
> executed ktpass.exe.   Before executing ktpass.exe using the "kvno"
> tool to determine what key version number is being issued by Active
> Directory.
>>> I tried to use kvno on windows 2003 to find the version number, but it was asking for ccache. I didnt know what to give for ccache. Could you please tell me how to use it ?

Install MIT Kerberos for Windows.

Execute "kinit <principal>" where <principal> is a client principal for
which you know the password and can obtain a TGT.   This will create for
you a credential cache.

kvno will not ask you for a credential cache unless it cannot find one
with a valid TGT.

"kvno sample/linux.kerb.com at KERB.COM"

will report the key version number of the service ticket for
"sample/linux.kerb.com at KERB.COM" it was able to obtain using the TGT for
<principal> obtained above.

Jeffrey Altman



More information about the Kerberos mailing list