kinit request on keytab fails using 2K3sp1 KDC

Richard E. Silverman res at
Wed Mar 22 17:14:02 EST 2006

>>>>> "TA" == "Tim Alsop" <Tim.Alsop at> writes:

    TA> It seems that the sp1 version of ktpass stores a key with a
    TA> specific kvno in the keytab file, and the kvno in the domain
    TA> controller for the same principal is different. This is why you
    TA> cannot use the keytab file to authenticate.

Yes; it always sets the kvno in the keytab it writes to 1, regardless of
the value in the KDB (which of course changes each time the key is
extracted).  So, you can only use the keytab the first time you extract
it.  If you have to do it again, just delete the principal and re-create

  Richard Silverman
  res at

More information about the Kerberos mailing list