kinit request on keytab fails using 2K3sp1 KDC

Richard E. Silverman res at
Wed Mar 22 21:20:46 EST 2006

>>>>> "JA" == Jeffrey Altman <jaltman2 at> writes:

    JA> Richard E. Silverman wrote:
    >>>>>>> "TA" == "Tim Alsop" <Tim.Alsop at> writes:
    TA> It seems that the sp1 version of ktpass stores a key with a
    TA> specific kvno in the keytab file, and the kvno in the domain
    TA> controller for the same principal is different. This is why you
    TA> cannot use the keytab file to authenticate.
    >>  Yes; it always sets the kvno in the keytab it writes to 1,
    >> regardless of the value in the KDB (which of course changes each
    >> time the key is extracted).  So, you can only use the keytab the
    >> first time you extract it.  If you have to do it again, just delete
    >> the principal and re-create it.

    JA> ktpass allows you to specify the kvno on the command line.  You
    JA> can obtain the kvno for the service principal with the MIT kvno
    JA> utility.

Somehow I never noticed that, probably because I couldn't imagine why
you'd need such a thing.  :)  Thanks.

    JA> Jeffrey Altman

  Richard Silverman
  res at

More information about the Kerberos mailing list