kinit request on keytab fails using 2K3sp1 KDC
Richard E. Silverman
res at qoxp.net
Wed Mar 22 21:20:46 EST 2006
>>>>> "JA" == Jeffrey Altman <jaltman2 at nyc.rr.com> writes:
JA> Richard E. Silverman wrote:
>>>>>>> "TA" == "Tim Alsop" <Tim.Alsop at cybersafe.com> writes:
>>
TA> It seems that the sp1 version of ktpass stores a key with a
TA> specific kvno in the keytab file, and the kvno in the domain
TA> controller for the same principal is different. This is why you
TA> cannot use the keytab file to authenticate.
>> Yes; it always sets the kvno in the keytab it writes to 1,
>> regardless of the value in the KDB (which of course changes each
>> time the key is extracted). So, you can only use the keytab the
>> first time you extract it. If you have to do it again, just delete
>> the principal and re-create it.
JA> ktpass allows you to specify the kvno on the command line. You
JA> can obtain the kvno for the service principal with the MIT kvno
JA> utility.
Somehow I never noticed that, probably because I couldn't imagine why
you'd need such a thing. :) Thanks.
JA> Jeffrey Altman
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list