kinit request on keytab fails using 2K3sp1 KDC

David Telfer david at
Thu Mar 23 04:47:21 EST 2006

Richard E. Silverman wrote:
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why you
>     TA> cannot use the keytab file to authenticate.
> Yes; it always sets the kvno in the keytab it writes to 1, regardless of
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you extract
> it.  If you have to do it again, just delete the principal and re-create
> it.
I am not sure whether this is the issue or not, I may be doing something 
wrong but I have used the following procedure to determine the kvno of 
both the keytab and the service principal.

To determine the KDC principal kvno;

#./kinit HTTP/ at SMG.PLC.UK
--->prompted for system user password
#./kvno HTTP/ at SMG.PLC.UK
HTTP/ at SMG.PLC.UK: kvno = 3

To determine the keytab kvno;

# /usr/local/sbin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
   1    3       HTTP/ at SMG.PLC.UK

This is the step I am unsure of, but I believe it indicates that the 
keytab also has a KVNO of 3.  Is this correct?

Also, for each creation of the keytab I am deleting the system user and 
service principal first before creation.  Should this not reset the kvno 
back to the initial value?

David Telfer

More information about the Kerberos mailing list