Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Problems With Key Version Numbers

Sometimes, the key version number (KVNO) used by the KDC and the service principal keys stored in /etc/krb5/krb5.keytab for services hosted on the system do not match. The KVNO can get out of synchronization when a new set of keys are created on the KDC without updating the keytab file with the new keys. After diagnosing the problem, refresh the krb5.keytab file.

  1. List the keytab entries.

    The KVNO for each principal is the first item in each entry.

    # klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    2 host/
    2 host/
    2 host/
    2 nfs/
    2 nfs/
    2 nfs/
    2 nfs/
  2. Acquire an initial credential by using the host key.

    # kinit -k
  3. Determine the KVNO that is used by the KDC.

    # kvno nfs/
    nfs/ kvno = 3

    Note that the KVNO listed here is 3 instead of 2.