Key table entry not found

Wyllys Ingersoll wyllys.ingersoll at sun.com
Thu Aug 14 21:26:11 EDT 2003 

CJ Keist wrote:
> Thank you for your reply.
> 
> On Thursday, August 14, 2003, at 02:50  PM, Wyllys Ingersoll wrote:
> 
>>
>> Im not sure what you mean when you say you are running "version  
>> 5.1.3.1".
> 
> That was the version of MIT's kerberos I downloaded.
> 
>> Are you running the Kerberos code that comes installed with Solaris 9
>> by default or did you put MIT kerberos on top of a Solaris 9 system
>> and are trying to use MIT Kerberos instead?
>>
> Not using what comes with Solaris, I installed the MIT over Solaris's  
> kerberos stuff.
> 
>> Whose pam_krb5 module are you using - Sun's or an open source version?
>>
> Still using whatever came with Solaris pam.conf.

That will cause problems if you are using MIT Kerberos for other stuff
as the pam_krb5 module for Solaris is linked with the Solaris Kerberos
library which is different than the MIT ones and looks for config files
and keytabs in different locations.

> 
>> You *can* put MIT KRB5 on a Solaris 9 system (though the Kerberos that
>> comes with S9 is fully compatible with MIT KRB5 and in most cases you
>> shouldn't need to install MIT), but you must make sure your $PATH  
>> variable
>> is configured so that the MIT binaries are used before the Solaris
>> binaries.
>>
> On the client box I did try to use Solaris kerberos stuff, but was  
> unable to get kadmin to talk to my KDC.  Kept giving me a "realm  
> missmatch" error.  So I gave up and installed the MIT stuff, that got  
> my kadmin to talk to my KDC.

Usually due to a domain_realm mapping problem OR because the host does
not resolve to a f.q.d.n name and the Kerb code has trouble mapping it
to a realm correctly since it cannot find a domain.

Also, the one incompatibility that you will find is that a Solaris KDC
can only talk to a Solaris 'kadmin' client (and vice-versa) due to
different RPC protocols used by MIT and Solaris KDC servers. So, if your
KDC is MIT, then you will have to administer it with the MIT kadmin client.
If its SEAM, then you must use the SEAM kadmin client.


>> One other suggestion would be to remove the MIT installation from the
>> Solaris 9 systems and use the supported Solaris Kerberos stuff, it
>> will eliminate alot of confusion and mismatches like you are seeing.
> 
> 
> Looks like I will try that next.  I didn't realize that Solaris 9 had  
> kerberos already installed, just assumed I need to get the MIT version  
> and install it.

Ah, ok.  Follow up if you continue to have problems.  Also, look
at sunsolve.sun.com and find the latest Solaris 9 SEAM patches.
There have been several updates to the Solaris Kerberos stuff, including
improvements to the pam_krb5 module.

-Wyllys

More information about the Kerberos mailing list