Key version number for principal in key table is incorrect - windows 2003 + linux clients - Kerberos

This is a discussion on Key version number for principal in key table is incorrect - windows 2003 + linux clients - Kerberos ; Hi all, I have seen the earlier replies to the similar issues and tried to debug myself. Could not solve the issue, so posting once again. I am trying to run the gss api sample applications using windows 2003 server. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Key version number for principal in key table is incorrect - windows 2003 + linux clients

  1. Key version number for principal in key table is incorrect - windows 2003 + linux clients

    Hi all,

    I have seen the earlier replies to the similar issues and tried to
    debug myself. Could not solve the issue, so posting once again.

    I am trying to run the gss api sample applications using windows 2003
    server. I have two linux machines and I am trying to tun gss sample
    server and client applications. I have set the default enc types to
    des-cbc-crc and des-cbc-md5 in the krb5.conf file. I have created a
    keytab file entry foe sample using ktpass. I have verified that klist
    -ke gives the des-cbc-crc key versions. I have captured the trace and
    verified that windows 2003 KDC is returning the enc types "des-cbc-crc"
    in the AS-REP.

    I have created the keytab file only once for sample/. But when I
    try to connect to the sample server, I get the error: Key version
    number for principal in key table is incorrect.

    Could anybody please help.

    - Sandy


  2. Re: Key version number for principal in key table is incorrect -windows 2003 + linux clients

    sandypossible@gmail.com wrote:
    > Hi all,
    >
    > I have seen the earlier replies to the similar issues and tried to
    > debug myself. Could not solve the issue, so posting once again.
    >
    > I am trying to run the gss api sample applications using windows 2003
    > server. I have two linux machines and I am trying to tun gss sample
    > server and client applications. I have set the default enc types to
    > des-cbc-crc and des-cbc-md5 in the krb5.conf file.


    There should be no reason why you want or need to restrict the
    enctypes in a krb5.conf file. Doing so will only create a severe
    maintenance problem once you realize that DES encryption is too weak
    for continued use.

    > I have created a
    > keytab file entry foe sample using ktpass.


    What command line did you use?

    > I have verified that klist
    > -ke gives the des-cbc-crc key versions. I have captured the trace and
    > verified that windows 2003 KDC is returning the enc types "des-cbc-crc"
    > in the AS-REP.
    >
    > I have created the keytab file only once for sample/. But when I
    > try to connect to the sample server, I get the error: Key version
    > number for principal in key table is incorrect.


    This is because you did not specify the correct kvno value when you
    executed ktpass.exe. Before executing ktpass.exe using the "kvno"
    tool to determine what key version number is being issued by Active
    Directory.

    > Could anybody please help.
    >
    > - Sandy




  3. Re: Key version number for principal in key table is incorrect - windows 2003 + linux clients

    Hi ,

    There should be no reason why you want or need to restrict the
    enctypes in a krb5.conf file. Doing so will only create a severe
    maintenance problem once you realize that DES encryption is too weak
    for continued use.
    >> Do you mean that there is no need to specify the default_xxx_enctypes in conf file ?

    Could you please confirm ?

    What command line did you use?
    >>c:\>ktpass -princ sample/linux.kerb.com@KERB.COM -mapuser sample -pass -out sample.keytab


    This is because you did not specify the correct kvno value when you
    executed ktpass.exe. Before executing ktpass.exe using the "kvno"
    tool to determine what key version number is being issued by Active
    Directory.
    >> I tried to use kvno on windows 2003 to find the version number, but it was asking for ccache. I didnt know what to give for ccache. Could you please tell me how to use it ?


    - Sandy.


  4. Re: Key version number for principal in key table is incorrect -windows 2003 + linux clients

    Please learn to properly quote messages from other people.

    sandypossible@gmail.com wrote:
    > Hi ,
    >
    > There should be no reason why you want or need to restrict the
    > enctypes in a krb5.conf file. Doing so will only create a severe
    > maintenance problem once you realize that DES encryption is too weak
    > for continued use.
    >>> Do you mean that there is no need to specify the default_xxx_enctypes in conf file ?

    > Could you please confirm ?


    confirmed.

    >
    > What command line did you use?
    >>> c:\>ktpass -princ sample/linux.kerb.com@KERB.COM -mapuser sample -pass -out sample.keytab

    >
    > This is because you did not specify the correct kvno value when you
    > executed ktpass.exe. Before executing ktpass.exe using the "kvno"
    > tool to determine what key version number is being issued by Active
    > Directory.
    >>> I tried to use kvno on windows 2003 to find the version number, but it was asking for ccache. I didnt know what to give for ccache. Could you please tell me how to use it ?


    Install MIT Kerberos for Windows.

    Execute "kinit " where is a client principal for
    which you know the password and can obtain a TGT. This will create for
    you a credential cache.

    kvno will not ask you for a credential cache unless it cannot find one
    with a valid TGT.

    "kvno sample/linux.kerb.com@KERB.COM"

    will report the key version number of the service ticket for
    "sample/linux.kerb.com@KERB.COM" it was able to obtain using the TGT for
    obtained above.

    Jeffrey Altman

+ Reply to Thread