[30492] in Kerberos
Re: KVNO/Keytab Question
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Tue Dec 2 14:04:52 2008
From: "Richard E. Silverman" <res@qoxp.net>
Date: Tue, 02 Dec 2008 11:56:01 -0500
Message-ID: <m2k5aiqzxa.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>>>>> "KD" == kevin doran <kevin.doran@accenture.com> writes:
KD> On 1 Dec, 21:31, "Douglas E. Engert" <deeng...@anl.gov> wrote: >> kevin.do...@accenture.com wrote:> > Hi, I'm hoping someone can help. >> >> > We are having issues using SPNEGO. Our problem seems to be the >> one > defined on: >> >http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s... >> >> > When we try to login, our browsers pass the following ticket > >> information: >> >> > Ticket > >> Tkt-vno: 5 > Realm: >> DWPPTP.LONDONDC.COM > Server Name >> (Service and Instance): > HTTP/ettloadbalancer.dwpptp.londondc.com >> > Name-type: Service and >> Instance > (2) > Name: HTTP > >> Name: > >> ettloadbalancer.dwpptp.londondc.com > >> enc-part des-cbc-md5 > >> Encryption type: des-cbc-md5 (3) > >> Kvno: 4 > enc-part: > >> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... >> >> > The Kvno is 4, yet when performing a klist on the keytab file: >> >> > ivmgr@dptettsw02:/var/pdweb/log$ klist -k >> /var/pdweb/keytab-dptettsw02/ > ettloadbalancer_HTTP.keytab > >> Keytab name: FILE:/var/pdweb/keytab-dptettsw02/ > >> ettloadbalancer_HTTP.keytab > KVNO Principal > ---- > >> -------------------------------------------------------------------------- >> > 3 HTTP/ettloadbalancer.dwpptp.londondc....@DWPPTP.LONDONDC.COM >> >> > We have followed the recommendation of recreating the keytab file >> and > this has change the KVNO number in the keytab file. However >> the KVNO > passed by the browser does not matched - how does this >> value get set? >> >> > Any help is appreciated >> >> (Richard Silverman suggested to clean out the client ticket cache, >> but that may only be part of the problem.) >> >> The knvo is usually increased by one each time you change the key >> in the KDC, so it looks like you did not update the keytab the last >> time you changed the key. The KDC and keytab need to stay in >> sync. The client got a ticket with a kvno of 4, but the keytab has >> a kvno of 3. Do you have more then one copy of the keytab file? I >> see the word load balancer in you note. Did you update both? >> >> Whose KDC are you using, and what tool did you use to create or >> update the keytab? >> >> (The reason for a kvno is that A keytab can have more then one key >> for a service principal, each with a different kvno. This is done >> to allow tickets issued with the older kvno to continue to work >> when a new key and kvno is created in the KDC and keytab. At a >> later time the keytab can be cleaned up removing the older entry.) >> >> >> >> > Regards >> >> > Kev >> >> > ________________________________________________ > Kerberos >> mailing list Kerbe...@mit.edu >> >https://mailman.mit.edu/mailman/listinfo/kerberos >> >> -- >> >> Douglas E. Engert <DEEng...@anl.gov> Argonne National >> Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 >> (630) 252-5444- Hide quoted text - >> >> - Show quoted text -
KD> Hi Douglas, thanks for you response.
KD> ktpass was used to create the keytab. The KDC is maintained by our KD> local service unit.
KD> We're really scratching our heads at the moment, it seems that KD> each time we create a new keytab file shortly afterwards the KVNO KD> in the client ticket changes. I've no idea why they are out of KD> sync. What changes etc could cause the KVNO to increment on the KD> KDC?
Extracting the key (ktadd) does that, itself -- you get a *new* key whenyou use ktadd. It's important to never do ktadd without also updating anykeytabs which contain the key. In particular, if there are multiplekeytabs, then you can't just use kadmin/ktadd to update them all; you haveto extract the key once and then insert it separately into the remainingkeytabs, e.g. with ktutil.
KD> Thanks
KD> Kev
-- Richard Silverman res@qoxp.net
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
