kinit request on keytab fails using 2K3sp1 KDC
David Telfer
david at 2fluid.co.uk
Thu Mar 23 04:47:21 EST 2006
Richard E. Silverman wrote:
>
> TA> It seems that the sp1 version of ktpass stores a key with a
> TA> specific kvno in the keytab file, and the kvno in the domain
> TA> controller for the same principal is different. This is why you
> TA> cannot use the keytab file to authenticate.
>
> Yes; it always sets the kvno in the keytab it writes to 1, regardless of
> the value in the KDB (which of course changes each time the key is
> extracted). So, you can only use the keytab the first time you extract
> it. If you have to do it again, just delete the principal and re-create
> it.
I am not sure whether this is the issue or not, I may be doing something
wrong but I have used the following procedure to determine the kvno of
both the keytab and the service principal.
To determine the KDC principal kvno;
#./kinit HTTP/connect.smg.plc.uk at SMG.PLC.UK
--->prompted for system user password
#./kvno HTTP/connect.smg.plc.uk at SMG.PLC.UK
HTTP/connect.smg.plc.uk at SMG.PLC.UK: kvno = 3
To determine the keytab kvno;
# /usr/local/sbin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 HTTP/connect.smg.plc.uk at SMG.PLC.UK
This is the step I am unsure of, but I believe it indicates that the
keytab also has a KVNO of 3. Is this correct?
Also, for each creation of the keytab I am deleting the system user and
service principal first before creation. Should this not reset the kvno
back to the initial value?
Thanks,
David Telfer
More information about the Kerberos
mailing list