##Problem: Some versions of (IBM) Java does not work properly with an imported keytab
You will most likely get error messages like:
# java com.ibm.security.krb5.internal.tools.Ktab -k /root/ibmkvno1.keytab -l
The format of key table /root/ibmkvno1.keytab is incorrect.
OR
# java com.ibm.security.krb5.internal.tools.Ktab -k /root/ibmkvno1.keytab -l
Empty keytab, name /root/ibmkvno1.keytab
(IBM) Java expects the keytab to contain a key with key version number of 0 (Microsoft Active Directory always exports keys with kvno 0). Keytabs generated by UCS or manually (like described in SDB#1275) usually contain higher key version numbers as the number is increased when a new key is generated (e.g. the accounts password changes).
###Solution: Modify the keytab to force the kvno to be 0
We created a tool for this special task - you’ll find it attached here.
With the help of this tool you can simply recreate the keytab so that it will start with kvno 0 - for example:
python univention-keytab-copy.py -k /root/ibmkvno1.keytab -o /root/ibmkvno0.keytab
attached files: univention-keytab-copy.py (2.8 KB)