KVNO/Keytab Question

kevin.doran@accenture.com kevin.doran at accenture.com
Tue Dec 2 07:47:38 EST 2008


On 1 Dec, 21:31, "Douglas E. Engert" <deeng... at anl.gov> wrote:
> kevin.do... at accenture.com wrote:
> > Hi, I'm hoping someone can help.
>
> > We are having issues using SPNEGO. Our problem seems to be the one
> > defined on:
> >http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s...
>
> > When we try to login, our browsers pass the following ticket
> > information:
>
> >                             Ticket
> >                                 Tkt-vno: 5
> >                                 Realm: DWPPTP.LONDONDC.COM
> >                                 Server Name (Service and Instance):
> > HTTP/ettloadbalancer.dwpptp.londondc.com
> >                                     Name-type: Service and Instance
> > (2)
> >                                     Name: HTTP
> >                                     Name:
> > ettloadbalancer.dwpptp.londondc.com
> >                                 enc-part des-cbc-md5
> >                                     Encryption type: des-cbc-md5 (3)
> >                                     Kvno: 4
> >                                     enc-part:
> > 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28...
>
> > The Kvno is 4, yet when performing a klist on the keytab file:
>
> > ivmgr at dptettsw02:/var/pdweb/log$ klist -k /var/pdweb/keytab-dptettsw02/
> > ettloadbalancer_HTTP.keytab
> > Keytab name: FILE:/var/pdweb/keytab-dptettsw02/
> > ettloadbalancer_HTTP.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> >    3 HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM
>
> > We have followed the recommendation of recreating the keytab file and
> > this has change the KVNO number in the keytab file. However the KVNO
> > passed by the browser does not matched - how does this value get set?
>
> > Any help is appreciated
>
> (Richard Silverman suggested to clean out the client ticket cache,
> but that may only be part of the problem.)
>
> The knvo is usually increased by one each time you change the key in the KDC,
> so it looks like you did not update the keytab the last time you changed
> the key. The KDC and keytab need to stay in sync. The client got a ticket with
> a kvno of 4, but the keytab has a kvno of 3. Do you have more then one copy
> of the keytab file? I see the word load balancer in you note. Did you update both?
>
> Whose KDC are you using, and what tool did you use to create or update the keytab?
>
> (The reason for a kvno is that A keytab can have more then one key for a
> service principal, each with a different kvno. This is done to allow tickets
> issued with the older kvno to continue to work when a new key and kvno is
> created in the KDC and keytab. At a later time the keytab can be cleaned up
> removing the older entry.)
>
>
>
> > Regards
>
> > Kev
>
> > ________________________________________________
> > Kerberos mailing list           Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
>   Douglas E. Engert  <DEEng... at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444- Hide quoted text -
>
> - Show quoted text -

Hi Douglas, thanks for you response.

ktpass was used to create the keytab. The KDC is maintained by our
local service unit.

We're really scratching our heads at the moment, it seems that each
time we create a new keytab file shortly afterwards the KVNO in the
client ticket changes. I've no idea why they are out of sync. What
changes etc could cause the KVNO to increment on the KDC?

Thanks

Kev



More information about the Kerberos mailing list