[33354] in Kerberos
kerberos and Windows 2008R2 - kinit: Key table entry not found
daemon@ATHENA.MIT.EDU (Gomes, Charles)
Thu Apr 28 17:09:05 2011
From: "Gomes, Charles" <cgomes@knight.com>
To: "'kerberos@mit.edu'" <kerberos@mit.edu>
Date: Thu, 28 Apr 2011 17:08:55 -0400
Message-ID: <CDED04E03A9F5348A6B3209F75AC9C6C0401AE2EA8@EXCHANGE1.global.knight.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello Kerberos List,
I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 server.
I've created a user on windows and used the ktpass to generate the Kerberos keytab:
C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab
I did make sure that "User Kerberos DES encryption types for this account" was checked.
First I was getting:
root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
kinit: KDC has no support for encryption type while getting initial credentials
So I've checked "Do not require Kerberos preauthentication" and I get:
root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
kinit: Key table entry not found while getting initial credentials
Where should that key table entry be located ?
I cannot go forward with this. Is there a way to get more verbose logging so I can troubleshoot this.
Klist
root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES cbc mode with RSA-MD5)
Cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
TESTDOMAIN.COM = {
kdc = server.testdomain.com:88
admin_server = server.testdomain.com:749
default_domain = testdomain.com
}
[domain_realm]
.testdomain.com = TESTDOMAIN.COM
testdomain.com = TESTDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
DISCLAIMER:
This e-mail, and any attachments thereto, is intended only for use by the addressee(s)named herein and
may contain legally privileged and/or confidential information. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachments
thereto, is strictly prohibited. If you have received this in error, please immediately notify me and permanently
delete the original and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free.
The sender therefore does not accept liability for any errors or omissions in the contents of this message which
arise as a result of e-mail transmission.
NOTICE REGARDING PRIVACY AND CONFIDENTIALITY
Knight Capital Group may, at its discretion, monitor and review the content of all e-mail communications.
http://www.knight.com<http://www.knight.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
