kinit request on keytab fails using 2K3sp1 KDC

Jeffrey Altman jaltman2 at
Thu Mar 23 09:14:47 EST 2006

David Telfer wrote:
> David Telfer wrote:
>> To determine the keytab kvno;
>> # /usr/local/sbin/ktutil
>> ktutil:  rkt /etc/krb5.keytab
>> ktutil:  list
>> slot KVNO Principal
>> ---- ---- 
>> ---------------------------------------------------------------------
>>    1    3       HTTP/ at SMG.PLC.UK
>> This is the step I am unsure of, but I believe it indicates that the 
>> keytab also has a KVNO of 3.  Is this correct?
> To clarify this, I have realised that I was jumping through too many 
> hoops to determine the kvno of the keytab file.
> I should have used;
> #./klist -k /etc/krb5.keytab
> This returns;
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    3 HTTP/ at SMG.PLC.UK
> Indicating that both the Service Principal and keytab kvno's match.  I 
> think it would be wise for me to restart the process so I can be sure 
> that the kvnos are starting at 1.
>  From the determined kvno information, I am worried that starting again 
> will not resolve my issue.  Assuming that the kvno is reset to 1, using 
> kvno and klist to determine the version number should return similar 
> results to above, but showing the number to be 1.  What would the 
> difference be and would it resolve the pre-authentication issue?

Why do you need the kvno to be 1?  the requirement is that the kvno of
the service ticket issued by the KDC must match the kvno of the service
principal entry in the keytab.  As the kvnos match, your problem must be
somewhere else.

For example, what is the enctype of the service ticket issued by the
KDC?  Does that match the enctype of the keytab entry you are using?

What do the following commands output?

  klist -e -k /etc/krb5.keytab

  kvno HTTP/ at SMG.PLC.UK
  klist -e

If the enctypes and output of those commands match, then you must
double check that the browser client is obtaining service tickets
with the name HTTP/ at SMG.PLC.UK and that the
enctype of that ticket matches the contents of the keytab entry.

Jeffrey Altman

More information about the Kerberos mailing list