[OpenAFS] Switching from MIT to win 2003 krb5 server - win question-obtain tokens

Christopher D. Clausen cclausen@acm.org
Fri, 8 Jun 2007 09:19:31 -0500

Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
> Christopher D. Clausen wrote:
>> Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
>>> Lars Schimmer wrote:
>>>> A google told me wronkg kvno :-(
>>>> Although I ktpass with kvno 4 and imported it as kvno 4...
>>>> Lets try it again.
>>> ktpass does not set the kvno in AD.  It only sets the kvno in the
>>> keytab.   You have to use the kvno in the keytab that is used by AD.
>> I think you need to use current kvno + 1 b/c the kvno gets
>> incremented when ktpass.exe is run to create the keytab.
> Actually, you want to leave out the parameter entirely.
> The only reason its there is for Windows 2000 compatibility.

Yeah, that is what I thought as well.  I've never needed to manually 
specify the kvno when using ktpass.exe.  I assumed there was a specific 
reason for it in this case.