kvno overflow

Jonathan Reams jr3074 at columbia.edu
Mon Jan 31 16:13:29 EST 2011

Yes, I get

kadmin: Incorrect password while initializing kadmin interface

when authenticating against kadmin using the keytab after the overflow occurs.

On Jan 31, 2011, at 4:07 PM, Greg Hudson wrote:

> On Mon, 2011-01-31 at 15:11 -0500, Jonathan Reams wrote:
>> It looks like there's a difference between how kvnos are handled in keytabs vs the principals database/kadmin. In order to monitor our iprop setup, we have a principal who's key gets added to a keytab once an hour, and when the kvno hit 257, it reset to 0 in the keytab, but not in kadmin. 
> This is a limitation in the keytab format, and can't be easily fixed
> without invalidating everyone's keytabs.  There are provisions in the
> code for most operations to continue working in the presence of kvnos
> exceeding 255.  Are you seeing a behavior problem other than the display
> issue?

More information about the krbdev mailing list