Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect
The KVNO
is the version number of the keytab, each time you generate a new keytab or the password is changed the KVNO
gets incremented. The number should match what is inside the Active Directory. This error indicates that the keytab contains an entry that the master considers to be out of date.
You can see the KVNO
in the directory by using adsiedit.msc
. Under the proper user look for the msDS-KeyVersionNumber
attribute; normally it should be identical to what the keytab is. (In your case 6.)
Related videos on Youtube
petRUShka
Updated on September 18, 2022Comments
-
petRUShka over 1 year
I have configured apache2 and mod_auth_kerb. I setted up my .htaccess in such way
# cat .htaccess AuthType Kerberos AuthName "Domain login" KrbAuthRealms DOMAIN.COM KrbMethodK5Passwd on Krb5KeyTab /etc/httpd/httpd.keytab require valid-user
When I open the page in IE, I get following error in apache logs:
gss_accept_sec_context() failed: Miscellaneous failure (, Key version number for principal in key table is incorrect)
Then I can set password and login via Basic Auth and it is totally ok. But I can't authenticate by ticket.
# klist -k /etc/httpd/httpd.keytab Keytab name: FILE:/etc/httpd/httpd.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 host/[email protected] 6 host/[email protected] 6 host/[email protected] 6 host/[email protected] 6 host/[email protected] 6 host/[email protected] 6 [email protected] 6 [email protected] 6 [email protected] 6 HTTP/[email protected] 6 HTTP/[email protected] 6 HTTP/[email protected] 6 HTTP/[email protected] 6 HTTP/[email protected] 6 HTTP/[email protected]
What should I do with KVNO? What wrong with it?
P.S. KDC is KDC inside ActiveDirectory (windows 2003 server). My server platform is SUSE Linux 10:
# cat /proc/version Linux version 2.6.16.60-0.21-smp (geeko@buemphasized textildhost) (gcc version 4.1.2 20070115 (SUSE Linux)) #1 SMP Tue May 6 12:41:02 UTC 2008
mod_auth_kerb is latest (5.4-4.15). Kerberos lib isn't:
# zypper search krb Restoring system sources... Parsing metadata for SUSE Linux Enterprise Server 10 SP3... S | Catalog | Type | Name | Version | Arch --+-------------------------------------+---------+--------------------+----------------+------- i | SUSE Linux Enterprise Server 10 SP3 | package | krb5 | 1.4.3-19.43.27 | x86_64 i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-clients | 1.4.3-19.43.27 | x86_64 i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-servers | 1.4.3-19.43.27 | x86_64 i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-client | 1.4.3-19.43.27 | x86_64 i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-devel | 1.4.3-19.43.27 | x86_64 i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-server | 1.4.3-19.43.27 | x86_64