[39527] in Kerberos
Re: [validate_tgt] (0x0020): [RID#988] TGT failed verification using
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Mon Jun 23 12:58:43 2025
Message-Id: <202506231655.55NGtvnp022205@hedwig.cmf.nrl.navy.mil>
To: Marco Moock <mm@dorfdsl.de>
cc: kerberos@mit.edu
In-Reply-To: <20250618093205.1f6da8ef@rlcp-nb-5642.prosis.group>
MIME-Version: 1.0
Date: Mon, 23 Jun 2025 12:55:57 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>(0x0020): [RID#988] 2359: [-1765328339][Service key not available]
This means, "I tried to validate the TGT using a locally stored host
key, I was able to get a service ticket for 'host/local-host-name', but
I couldn't find that service key in the local keytab (/etc/krb5.keytab,
typically)'.
Looking at the code, that could be caused by one of:
- You didn't actually store the key for that principal in your local keytab
- A permission problem with the local keytab
- Confusion about the local hostname and what is stored in the local keytab
If I had to guess I'd suspect the first one; that involves coordination
with your AD admins.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
