kinit request on keytab fails using 2K3sp1 KDC

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Mar 23 05:10:54 EST 2006


Like yourself we spent many days/weeks trying to get the sp1 version of
ktpass to work, but we could not, so we have developed our own
replacement product that uses computer accounts instead.

Cheers, Tim 

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of David Telfer
Sent: 23 March 2006 09:47
To: kerberos at
Subject: Re: kinit request on keytab fails using 2K3sp1 KDC

Richard E. Silverman wrote:
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why
>     TA> cannot use the keytab file to authenticate.
> Yes; it always sets the kvno in the keytab it writes to 1, regardless
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you
> it.  If you have to do it again, just delete the principal and
> it.
I am not sure whether this is the issue or not, I may be doing something

wrong but I have used the following procedure to determine the kvno of 
both the keytab and the service principal.

To determine the KDC principal kvno;

#./kinit HTTP/ at SMG.PLC.UK
--->prompted for system user password
#./kvno HTTP/ at SMG.PLC.UK
HTTP/ at SMG.PLC.UK: kvno = 3

To determine the keytab kvno;

# /usr/local/sbin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
   1    3       HTTP/ at SMG.PLC.UK

This is the step I am unsure of, but I believe it indicates that the 
keytab also has a KVNO of 3.  Is this correct?

Also, for each creation of the keytab I am deleting the system user and 
service principal first before creation.  Should this not reset the kvno

back to the initial value?

David Telfer

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list