[30483] in Kerberos

home help back first fref pref prev next nref lref last post

Re: KVNO/Keytab Question

daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Mon Dec 1 14:18:04 2008

From: "Richard E. Silverman" <res@qoxp.net>
Date: Fri, 28 Nov 2008 22:21:24 -0500
Message-ID: <m21vwvrzd7.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

>>>>> "KD" == kevin doran <kevin.doran@accenture.com> writes:

    KD> Hi, I'm hoping someone can help.  We are having issues using
    KD> SPNEGO. Our problem seems to be the one defined on:
    KD> http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=swg21259123&loc=en_US&cs=UTF-8&lang=en

    KD> When we try to login, our browsers pass the following ticket
    KD> information:

    KD>                             Ticket Tkt-vno: 5 Realm:
    KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance):
    KD> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and
    KD> Instance (2) Name: HTTP Name: ettloadbalancer.dwpptp.londondc.com
    KD> enc-part des-cbc-md5 Encryption type: des-cbc-md5 (3) Kvno: 4
    KD> enc-part: 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28...

    KD> The Kvno is 4, yet when performing a klist on the keytab file:

    KD> ivmgr@dptettsw02:/var/pdweb/log$ klist -k
    KD> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab
    KD> name: FILE:/var/pdweb/keytab-dptettsw02/
    KD> ettloadbalancer_HTTP.keytab KVNO Principal ----
    KD> --------------------------------------------------------------------------
    KD> 3 HTTP/ettloadbalancer.dwpptp.londondc.com@DWPPTP.LONDONDC.COM

    KD> We have followed the recommendation of recreating the keytab file
    KD> and this has change the KVNO number in the keytab file. However
    KD> the KVNO passed by the browser does not matched - how does this
    KD> value get set?

You need to purge the ccache on the client machine so that it obtains a
new, matching ticket from the KDC.

    KD> Any help is appreciated

    KD> Regards

    KD> Kev


-- 
  Richard Silverman
  res@qoxp.net

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post