David Telfer wrote: > David Telfer wrote: >> To determine the keytab kvno; >> >> # /usr/local/sbin/ktutil >> ktutil: rkt /etc/krb5.keytab >> ktutil: list >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 3 HTTP/[EMAIL PROTECTED] >> >> This is the step I am unsure of, but I believe it indicates that the >> keytab also has a KVNO of 3. Is this correct? >> > To clarify this, I have realised that I was jumping through too many > hoops to determine the kvno of the keytab file. > > I should have used; > #./klist -k /etc/krb5.keytab > > This returns; > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 HTTP/[EMAIL PROTECTED] > > Indicating that both the Service Principal and keytab kvno's match. I > think it would be wise for me to restart the process so I can be sure > that the kvnos are starting at 1. > > From the determined kvno information, I am worried that starting again > will not resolve my issue. Assuming that the kvno is reset to 1, using > kvno and klist to determine the version number should return similar > results to above, but showing the number to be 1. What would the > difference be and would it resolve the pre-authentication issue?
Why do you need the kvno to be 1? the requirement is that the kvno of the service ticket issued by the KDC must match the kvno of the service principal entry in the keytab. As the kvnos match, your problem must be somewhere else. For example, what is the enctype of the service ticket issued by the KDC? Does that match the enctype of the keytab entry you are using? What do the following commands output? klist -e -k /etc/krb5.keytab kvno HTTP/[EMAIL PROTECTED] klist -e If the enctypes and output of those commands match, then you must double check that the browser client is obtaining service tickets with the name HTTP/[EMAIL PROTECTED] and that the enctype of that ticket matches the contents of the keytab entry. Jeffrey Altman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
