KVNO/Keytab Question
Richard E. Silverman
res at qoxp.net
Tue Dec 2 11:56:01 EST 2008
>>>>> "KD" == kevin doran <kevin.doran at accenture.com> writes:
KD> On 1 Dec, 21:31, "Douglas E. Engert" <deeng... at anl.gov> wrote:
>> kevin.do... at accenture.com wrote:
> > Hi, I'm hoping someone can help.
>>
>> > We are having issues using SPNEGO. Our problem seems to be the
>> one > defined on:
>> >http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s...
>>
>> > When we try to login, our browsers pass the following ticket >
>> information:
>>
>> > Ticket >
>> Tkt-vno: 5 > Realm:
>> DWPPTP.LONDONDC.COM > Server Name
>> (Service and Instance): > HTTP/ettloadbalancer.dwpptp.londondc.com
>> > Name-type: Service and
>> Instance > (2) > Name: HTTP >
>> Name: >
>> ettloadbalancer.dwpptp.londondc.com >
>> enc-part des-cbc-md5 >
>> Encryption type: des-cbc-md5 (3) >
>> Kvno: 4 > enc-part: >
>> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28...
>>
>> > The Kvno is 4, yet when performing a klist on the keytab file:
>>
>> > ivmgr at dptettsw02:/var/pdweb/log$ klist -k
>> /var/pdweb/keytab-dptettsw02/ > ettloadbalancer_HTTP.keytab >
>> Keytab name: FILE:/var/pdweb/keytab-dptettsw02/ >
>> ettloadbalancer_HTTP.keytab > KVNO Principal > ---- >
>> --------------------------------------------------------------------------
>> > 3 HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM
>>
>> > We have followed the recommendation of recreating the keytab file
>> and > this has change the KVNO number in the keytab file. However
>> the KVNO > passed by the browser does not matched - how does this
>> value get set?
>>
>> > Any help is appreciated
>>
>> (Richard Silverman suggested to clean out the client ticket cache,
>> but that may only be part of the problem.)
>>
>> The knvo is usually increased by one each time you change the key
>> in the KDC, so it looks like you did not update the keytab the last
>> time you changed the key. The KDC and keytab need to stay in
>> sync. The client got a ticket with a kvno of 4, but the keytab has
>> a kvno of 3. Do you have more then one copy of the keytab file? I
>> see the word load balancer in you note. Did you update both?
>>
>> Whose KDC are you using, and what tool did you use to create or
>> update the keytab?
>>
>> (The reason for a kvno is that A keytab can have more then one key
>> for a service principal, each with a different kvno. This is done
>> to allow tickets issued with the older kvno to continue to work
>> when a new key and kvno is created in the KDC and keytab. At a
>> later time the keytab can be cleaned up removing the older entry.)
>>
>>
>>
>> > Regards
>>
>> > Kev
>>
>> > ________________________________________________ > Kerberos
>> mailing list Kerbe... at mit.edu
>> >https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> --
>>
>> Douglas E. Engert <DEEng... at anl.gov> Argonne National
>> Laboratory 9700 South Cass Avenue Argonne, Illinois 60439
>> (630) 252-5444- Hide quoted text -
>>
>> - Show quoted text -
KD> Hi Douglas, thanks for you response.
KD> ktpass was used to create the keytab. The KDC is maintained by our
KD> local service unit.
KD> We're really scratching our heads at the moment, it seems that
KD> each time we create a new keytab file shortly afterwards the KVNO
KD> in the client ticket changes. I've no idea why they are out of
KD> sync. What changes etc could cause the KVNO to increment on the
KD> KDC?
Extracting the key (ktadd) does that, itself -- you get a *new* key when
you use ktadd. It's important to never do ktadd without also updating any
keytabs which contain the key. In particular, if there are multiple
keytabs, then you can't just use kadmin/ktadd to update them all; you have
to extract the key once and then insert it separately into the remaining
keytabs, e.g. with ktutil.
KD> Thanks
KD> Kev
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list