end of key table reached error

Rick van Rein rick at openfortress.nl
Fri Oct 30 16:23:48 EDT 2015

Hi Vishal,

> I think there is some issue with keytab file , I see multiple kvno in
> keytab i.e 74 & 75. Is it practical?We have 1.7 release.

This is not uncommon; these are key version numbers.  They help to distinguish various keys assigned to a particular principal.  RFC 4120 says

   Key Version Number (kvno)
      A tag associated with encrypted data identifies which key was used
      for encryption when a long-lived key associated with a principal
      changes over time.  It is used during the transition to a new key
      so that the party decrypting a message can tell whether the data
      was encrypted with the old or the new key.

It is used in the generic type "EncryptedData" that captures most (if not all) signed / encrypted portions of data in Kerberos:

   EncryptedData   ::= SEQUENCE {
           etype   [0] Int32 -- EncryptionType --,
           kvno    [1] UInt32 OPTIONAL,
           cipher  [2] OCTET STRING -- ciphertext

You will often see the etype/kvno pair, I think these two and the PrincipalName and Realm are used to identify a key.  And that's exactly why it's in your keytab.

So, when you change your keys, you will see a new kvno while the rest of the key parts remain the same.  Your keytab can store them at the same time to be able to service older and newer keyed requests.  You are free to remove old keys if you are certain they should not be used anymore.


More information about the Kerberos mailing list