Key version number for principal in key table is incorrect -
Jeffrey Altman
jaltman2 at nyc.rr.com
Wed Dec 21 11:51:20 EST 2005
Please learn to properly quote messages from other people.
sandypossible at gmail.com wrote:
> Hi ,
>
> There should be no reason why you want or need to restrict the
> enctypes in a krb5.conf file. Doing so will only create a severe
> maintenance problem once you realize that DES encryption is too weak
> for continued use.
>>> Do you mean that there is no need to specify the default_xxx_enctypes in conf file ?
> Could you please confirm ?
confirmed.
>
> What command line did you use?
>>> c:\>ktpass -princ sample/linux.kerb.com at KERB.COM -mapuser sample -pass <password> -out sample.keytab
>
> This is because you did not specify the correct kvno value when you
> executed ktpass.exe. Before executing ktpass.exe using the "kvno"
> tool to determine what key version number is being issued by Active
> Directory.
>>> I tried to use kvno on windows 2003 to find the version number, but it was asking for ccache. I didnt know what to give for ccache. Could you please tell me how to use it ?
Install MIT Kerberos for Windows.
Execute "kinit <principal>" where <principal> is a client principal for
which you know the password and can obtain a TGT. This will create for
you a credential cache.
kvno will not ask you for a credential cache unless it cannot find one
with a valid TGT.
"kvno sample/linux.kerb.com at KERB.COM"
will report the key version number of the service ticket for
"sample/linux.kerb.com at KERB.COM" it was able to obtain using the TGT for
<principal> obtained above.
Jeffrey Altman
More information about the Kerberos
mailing list