Keytab won't work with (IBM) Java

##Problem: Some versions of (IBM) Java does not work properly with an imported keytab

You will most likely get error messages like:

# java com.ibm.security.krb5.internal.tools.Ktab -k /root/ibmkvno1.keytab -l
The format of key table /root/ibmkvno1.keytab is incorrect. 

OR

# java com.ibm.security.krb5.internal.tools.Ktab -k /root/ibmkvno1.keytab -l
Empty keytab, name /root/ibmkvno1.keytab

(IBM) Java expects the keytab to contain a key with key version number of 0 (Microsoft Active Directory always exports keys with kvno 0). Keytabs generated by UCS or manually (like described in SDB#1275) usually contain higher key version numbers as the number is increased when a new key is generated (e.g. the accounts password changes).

###Solution: Modify the keytab to force the kvno to be 0
We created a tool for this special task - you’ll find it attached here.

With the help of this tool you can simply recreate the keytab so that it will start with kvno 0 - for example:

python univention-keytab-copy.py -k /root/ibmkvno1.keytab -o /root/ibmkvno0.keytab 

attached files: univention-keytab-copy.py (2.8 KB)

Mastodon