Skip Menu |

From: Luke Howard <>
Subject: ignore_kvno libdefault option
Date: Tue, 17 Jan 2006 03:17:41 +1100

Windows 2000 KDCs do not return key version numbers in tickets, whereas
Windows 2003 KDCs do. We have a customer that has deployed a large number
fo the former, with kvno=1 in each keytab; as soon as they upgrade to
Windows 2003 this will break.

The correct fix is obviously to rewrite the keytab with the real kvno,
however this is difficult to do in a distributed environment; the service
may have no way to contact a Windows 2003 KDC (to determine the kvno) until
it's too late, ie. it receives a ticket from a client that authenticated
against a Windows 2003 KDC.

It seems that the only reliable fix that will work in this deployment is
to allow the client library to ignore the ticket version number, even if
one is provided. (Note that in our environment there is only ever one
entry for a given principal/key type in the keytab.)

Patch at:

-- Luke

New patch from Luke... this checks for kvno 0 in the keytab file, and updates ktutil to allow
specification of kvno 0; no libdefaults option.
Download kvno.diff
application/octet-stream 1.4KiB

Message body not shown because it is not plain text.

Subject: git commit

Allow unspecified kvno in keytab entries

In ktutil, make "-k 0" work when creating a keytab entry. In the
keytab implementations, treat entries with unspecified kvnos as
low-priority matches.

[ adjusted to current file keytab code; added logic
for other keytab types; wrote commit message]
Author: Luke Howard <>
Committer: Greg Hudson <>
Commit: 91afad7fc60fe6ce86f8d4a8ef4ce53c7cada31a
Branch: master
src/kadmin/ktutil/ktutil.c | 6 ++++--
src/lib/krb5/keytab/kt_file.c | 2 +-
src/lib/krb5/keytab/kt_memory.c | 2 +-
src/lib/krb5/keytab/kt_srvtab.c | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)