[OpenAFS] Switching from MIT to win 2003 krb5 server - win question-obtain tokens
Christopher D. Clausen
cclausen@acm.org
Fri, 8 Jun 2007 09:19:31 -0500
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
> Christopher D. Clausen wrote:
>> Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
>>> Lars Schimmer wrote:
>>>> A google told me wronkg kvno :-(
>>>> Although I ktpass with kvno 4 and imported it as kvno 4...
>>>> Lets try it again.
>>>
>>> ktpass does not set the kvno in AD. It only sets the kvno in the
>>> keytab. You have to use the kvno in the keytab that is used by AD.
>>
>> I think you need to use current kvno + 1 b/c the kvno gets
>> incremented when ktpass.exe is run to create the keytab.
>
> Actually, you want to leave out the parameter entirely.
> The only reason its there is for Windows 2000 compatibility.
Yeah, that is what I thought as well. I've never needed to manually
specify the kvno when using ktpass.exe. I assumed there was a specific
reason for it in this case.
<<CDC