Unable to use keytab because the client keytab's kvno doesn't match the server's kvno #456
Comments
|
kinit ignores the kvno but my understanding is that is not the correct behaviour... The RFC implies that these should match |
|
@jcmturner just following on exactly same issue The RFC 4120 @ Section 3.2.3 doesn't actually mentions KVNO at all if I read it correctly (and cannot really see kvno mentioned in that RFC in the conext of this issue) However, RFC 7751 says that we SHOULD do the kvno comparaison |
|
@MikhailMS I hit the same issue and reported here #539. Wondering if you found any way to workaround this ? Is there a way to ignore kvn ? |
Hi,
I am trying to use a keytab and I get the following error:
kerberos login failed: couldn't log in: [Root cause: Decrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid or client password/keytab incorrect < Decrypting_Error: error decrypting EncPart of AS_REP < Decrypting_Error: error decrypting AS_REP encrypted part: matching key not found in keytab. Looking for [<redacted>] realm: <redacted>.COM kvno: 4 etype: 18The same keytab works with kinit and other kerberos-aware apps I use. The problem seems to be that the server sends kvno=4 in the AS_REP message (maybe because I changed my password a few times?), but the kvno in the client keytab is 1 because it is a fresh keytab. It seems wrong that these two number would have to match in order to be able to use the keytab given that this same keytabs works elsewhere. I can change the kvno in the client keytab to match the server but that seems very fragile and shouldn't be necessary.
Any idea?
Thanks
The text was updated successfully, but these errors were encountered: