KVNO/Keytab Question

Richard E. Silverman res at qoxp.net
Sun Nov 30 12:30:57 EST 2008 

>>>>> "KD" == kevin doran <kevin.doran at accenture.com> writes:

    KD> On 29 Nov, 03:21, "Richard E. Silverman" <r... at qoxp.net> wrote:
    >> >>>>> "KD" == kevin doran <kevin.do... at accenture.com> writes:
    >> 
    >>     KD> Hi, I'm hoping someone can help.  We are having issues
    >> using     KD> SPNEGO. Our problem seems to be the one defined on:  
    >>  
    >> KD>http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s...
    >> 
    >>     KD> When we try to login, our browsers pass the following
    >> ticket     KD> information:
    >> 
    >>     KD>                             Ticket Tkt-vno: 5 Realm:    
    >> KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance):     KD>
    >> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and    
    >> KD> Instance (2) Name: HTTP Name:
    >> ettloadbalancer.dwpptp.londondc.com     KD> enc-part des-cbc-md5
    >> Encryption type: des-cbc-md5 (3) Kvno: 4     KD> enc-part:
    >> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28...
    >> 
    >>     KD> The Kvno is 4, yet when performing a klist on the keytab
    >> file:
    >> 
    >>     KD> ivmgr at dptettsw02:/var/pdweb/log$ klist -k     KD>
    >> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab  
    >>   KD> name: FILE:/var/pdweb/keytab-dptettsw02/     KD>
    >> ettloadbalancer_HTTP.keytab KVNO Principal ----     KD>
    >> --------------------------------------------------------------------------
    >>     KD> 3
    >> HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM
    >> 
    >>     KD> We have followed the recommendation of recreating the
    >> keytab file     KD> and this has change the KVNO number in the
    >> keytab file. However     KD> the KVNO passed by the browser does
    >> not matched - how does this     KD> value get set?
    >> 
    >> You need to purge the ccache on the client machine so that it
    >> obtains a new, matching ticket from the KDC.
    >> 
    >>     KD> Any help is appreciated
    >> 
    >>     KD> Regards
    >> 
    >>     KD> Kev
    >> 
    >> --   Richard Silverman   r... at qoxp.net

    KD> Thanks Richard, is that done using the "C:\Program Files\Resource
    KD> Kit \KLIST.EXE" purge" command? If so, I have tried this but it
    KD> still isn't working

Do all of the following match?

* kvno reported by "getprinc" in kadmin
* kvno in the keytab file
* kvno in the ticket supplied by the browser

What are you using on the server side, Apache + mod_auth_kerb?  If so,
what are the log messages emitted by mod_auth_kerb?

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list