kinit request on keytab fails using 2K3sp1 KDC

david telfer david.telfer at
Thu Mar 23 14:39:25 EST 2006

On 3/23/06, Douglas E. Engert <deengert at> wrote:
> They could look at the userAccountControl field of the account which shows
> an an integer. Convert it to hex and look for the DesOnly bit0x200000
> See;en-us;305144
> You as a user might be able to see this as well using ldap or one of the
> Windows tools.

I have ldap access to the DC and have checked this, the
userAccountControl field has a decimal value of 2163200 (0x210200). 
The USE_DES_KEY_ONLY bit is definitely set which causes me quite a bit
of confusion!

To make sure I wasn't making any silly mistakes I cleared all krb
caches for all users on my Solaris box and started again.  I ran kinit
on HTTP/ at SMG.PLC.UK then checked the encryption type
with klist -e.  It is still RC4.

One thing that has caught my attention is the changing kvno numbers. 
They match between the keytab and the Service principal which is as
required, however I have deleted the user account then recreated it.

The kvno values are still going up sequentially indicating that the
kdc is aware of the previous service principals.  Is it possible that
the enctype of the initial principal is being maintained even though
the system account has been deleted?  Is there any way to delete the
service principal when deleting the system account (possibly with
setspn -D, although I can't seem to find the principal using this

p.s. sorry for the change in email address, I am unable to access my
office e-mail from home at present.

More information about the Kerberos mailing list