kinit request on keytab fails using 2K3sp1 KDC

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Mar 23 05:10:54 EST 2006 

David,

Like yourself we spent many days/weeks trying to get the sp1 version of
ktpass to work, but we could not, so we have developed our own
replacement product that uses computer accounts instead.

Cheers, Tim 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of David Telfer
Sent: 23 March 2006 09:47
To: kerberos at mit.edu
Subject: Re: kinit request on keytab fails using 2K3sp1 KDC

Richard E. Silverman wrote:
>
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why
you
>     TA> cannot use the keytab file to authenticate.
>
> Yes; it always sets the kvno in the keytab it writes to 1, regardless
of
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you
extract
> it.  If you have to do it again, just delete the principal and
re-create
> it.
I am not sure whether this is the issue or not, I may be doing something

wrong but I have used the following procedure to determine the kvno of 
both the keytab and the service principal.

To determine the KDC principal kvno;

#./kinit HTTP/connect.smg.plc.uk at SMG.PLC.UK
--->prompted for system user password
#./kvno HTTP/connect.smg.plc.uk at SMG.PLC.UK
HTTP/connect.smg.plc.uk at SMG.PLC.UK: kvno = 3

To determine the keytab kvno;

# /usr/local/sbin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
   1    3       HTTP/connect.smg.plc.uk at SMG.PLC.UK

This is the step I am unsure of, but I believe it indicates that the 
keytab also has a KVNO of 3.  Is this correct?

Also, for each creation of the keytab I am deleting the system user and 
service principal first before creation.  Should this not reset the kvno

back to the initial value?

Thanks,
David Telfer


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list