Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect

Question

I have configured apache2 and mod_auth_kerb. I setted up my .htaccess in such way

# cat .htaccess
AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user

When I open the page in IE, I get following error in apache logs:

gss_accept_sec_context() failed: Miscellaneous failure (, Key version number for principal in key table is incorrect)

Then I can set password and login via Basic Auth and it is totally ok. But I can't authenticate by ticket.

# klist -k /etc/httpd/httpd.keytab
Keytab name: FILE:/etc/httpd/httpd.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   6 host/portal.domain.com@DOMAIN.COM
   6 host/portal.domain.com@DOMAIN.COM
   6 host/portal.domain.com@DOMAIN.COM
   6 host/portal@DOMAIN.COM
   6 host/portal@DOMAIN.COM
   6 host/portal@DOMAIN.COM
   6 PORTAL$@DOMAIN.COM
   6 PORTAL$@DOMAIN.COM
   6 PORTAL$@DOMAIN.COM
   6 HTTP/portal.domain.com@DOMAIN.COM
   6 HTTP/portal.domain.com@DOMAIN.COM
   6 HTTP/portal.domain.com@DOMAIN.COM
   6 HTTP/portal@DOMAIN.COM
   6 HTTP/portal@DOMAIN.COM
   6 HTTP/portal@DOMAIN.COM

What should I do with KVNO? What wrong with it?

P.S. KDC is KDC inside ActiveDirectory (windows 2003 server). My server platform is SUSE Linux 10:

# cat /proc/version
Linux version 2.6.16.60-0.21-smp (geeko@buemphasized textildhost) (gcc version 4.1.2 20070115 (SUSE Linux)) #1 SMP Tue May 6 12:41:02 UTC 2008

mod_auth_kerb is latest (5.4-4.15). Kerberos lib isn't:

# zypper search krb
Restoring system sources...
Parsing metadata for SUSE Linux Enterprise Server 10 SP3...
S | Catalog                             | Type    | Name               | Version        | Arch
--+-------------------------------------+---------+--------------------+----------------+-------
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5               | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-clients  | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-servers  | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-client        | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-devel         | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-server        | 1.4.3-19.43.27 | x86_64

score 5 · Answer 1 · edited Mar 09 '15 at 09:41

The KVNO is the version number of the keytab, each time you generate a new keytab or the password is changed the KVNO gets incremented. The number should match what is inside the Active Directory. This error indicates that the keytab contains an entry that the master considers to be out of date.

You can see the KVNO in the directory by using adsiedit.msc. Under the proper user look for the msDS-KeyVersionNumber attribute; normally it should be identical to what the keytab is. (In your case 6.)

Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect

1 Answers1