On 6/19/06, Erich Weiler <[EMAIL PROTECTED]> wrote: > > Your nfs server's keytab has kvno 5. You need to do the getprinc on > > that same principal to see what the key version number is in the KDC. > > (Your klist shows principal nfs/[EMAIL PROTECTED], but the > > getprinc output is for nfs/[EMAIL PROTECTED]) > > > > The kvno of the extracted key in the nfs server's keytab must match > > the kvno of that same principal in the KDC. To make sure they match, > > extract a new keytab for the nfs/nfsserver principal. > > Ah, I see what you're saying I think, sorry about the confusion: > > kadmin: getprinc nfs/nfsserver.domain.com > Principal: nfs/[EMAIL PROTECTED] > Expiration date: [never] > Last password change: Mon Jun 19 12:15:22 PDT 2006 > Password expiration date: [none] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 0 days 00:00:00 > Last modified: Mon Jun 19 12:15:22 PDT 2006 (admin/[EMAIL PROTECTED]) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 1 > Key: vno 13, DES cbc mode with CRC-32, no salt > Attributes: > Policy: [none] > > Then: > > % klist -e -k -t /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 5 05/08/06 10:04:34 nfs/[EMAIL PROTECTED] (DES cbc > mode with CRC-32) > > So we're looking at kvno 13 vs kvno 5? By extracting a new keytab, you > mean just remove the nfs/nfsserver.domain.com from the KDC's > /etc/krb5.keytab file and do a new 'ktadd -e des-cbc-crc:normal > nfs/nfsserver.domain.com' (in kadmin) to re-add it? And it should > re-add with the matching version number automatically?
Basically, yes. What ktadd does is generate a new random key for the principal and put it into the Kerberos database and also into the keytab. If you do another ktadd for that principal, it should generate key version number 14 and put that same key into the Kerberos database and into the keytab. You can check this by doing the getprinc and klist commands afterwards and verifying that both have kvno 14. HTH, K.C. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
