[krbdev.mit.edu #2298] Help!

Ken Raeburn via RT rt-comment at krbdev.mit.edu
Sun Mar 7 17:37:08 EST 2004


Hi.  You don't need to send the same message three times; it's not going
to help us get to your report any quicker.

> [Kerberos v5 refuses authentication because telnetd: krb5_rd_req
> failed: key version number for principal in key table is incorrect]


> I HAVE CONTROLLED KEY VERSION NUMBER WITH:
> 
>      klist -ke
> 
> AND ANY PRINCIPAL HAVE A KEY NUMBER, BUT I HAVEN'T UNDERSTOOD IF IT IS
> A CASUAL NUMBER OR A SPECIFIC NUMBER, AND I DON'T KNOW HOW TO RESOLVE
> THE PROBLEM!

What version number is indicated by the klist command above?  Try also
running "kvno host/your-servers-host-name.domain.it" on the client, and
see if it reports the same key version number.  From the error message
you gave, I suspect the number on the client side will be larger.  (Or
it could be smaller, if you set up Kerberos, extracted a host key a
couple of times, deleted your database, and started over but kept the
old host key file.)  If so, extract another version of the host key with
kadmin (note that this updates the key version number and changes the
key), and install the new key file on the server.  You'll need to run
kinit again on the client (it won't know that the credentials it's got
for communicating with the server using the old host key are no longer
valid), but otherwise, that would probably fix your problem.


More information about the krb5-bugs mailing list