kinit request on keytab fails using 2K3sp1 KDC

David Telfer david at
Thu Mar 23 06:27:13 EST 2006

David Telfer wrote:
> To determine the keytab kvno;
> # /usr/local/sbin/ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ---- 
> ---------------------------------------------------------------------
>    1    3       HTTP/ at SMG.PLC.UK
> This is the step I am unsure of, but I believe it indicates that the 
> keytab also has a KVNO of 3.  Is this correct?
To clarify this, I have realised that I was jumping through too many 
hoops to determine the kvno of the keytab file.

I should have used;
#./klist -k /etc/krb5.keytab

This returns;

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
   3 HTTP/ at SMG.PLC.UK

Indicating that both the Service Principal and keytab kvno's match.  I 
think it would be wise for me to restart the process so I can be sure 
that the kvnos are starting at 1.

 From the determined kvno information, I am worried that starting again 
will not resolve my issue.  Assuming that the kvno is reset to 1, using 
kvno and klist to determine the version number should return similar 
results to above, but showing the number to be 1.  What would the 
difference be and would it resolve the pre-authentication issue?

More information about the Kerberos mailing list