Key table entry not found

CJ Keist cjay at engr.colostate.edu
Fri Aug 15 12:33:45 EDT 2003 

Thank you for your help.  I have removed the MIT stuff and reinstalled  
Solaris kerberos packages and SEAM packages.  I have the KDC backup and  
running now.  Next on to the clients setup.


On Thursday, August 14, 2003, at 07:26  PM, Wyllys Ingersoll wrote:

> CJ Keist wrote:
>> Thank you for your reply.
>> On Thursday, August 14, 2003, at 02:50  PM, Wyllys Ingersoll wrote:
>>>
>>> Im not sure what you mean when you say you are running "version   
>>> 5.1.3.1".
>> That was the version of MIT's kerberos I downloaded.
>>> Are you running the Kerberos code that comes installed with Solaris 9
>>> by default or did you put MIT kerberos on top of a Solaris 9 system
>>> and are trying to use MIT Kerberos instead?
>>>
>> Not using what comes with Solaris, I installed the MIT over Solaris's  
>>  kerberos stuff.
>>> Whose pam_krb5 module are you using - Sun's or an open source  
>>> version?
>>>
>> Still using whatever came with Solaris pam.conf.
>
> That will cause problems if you are using MIT Kerberos for other stuff
> as the pam_krb5 module for Solaris is linked with the Solaris Kerberos
> library which is different than the MIT ones and looks for config files
> and keytabs in different locations.
>
>>> You *can* put MIT KRB5 on a Solaris 9 system (though the Kerberos  
>>> that
>>> comes with S9 is fully compatible with MIT KRB5 and in most cases you
>>> shouldn't need to install MIT), but you must make sure your $PATH   
>>> variable
>>> is configured so that the MIT binaries are used before the Solaris
>>> binaries.
>>>
>> On the client box I did try to use Solaris kerberos stuff, but was   
>> unable to get kadmin to talk to my KDC.  Kept giving me a "realm   
>> missmatch" error.  So I gave up and installed the MIT stuff, that got  
>>  my kadmin to talk to my KDC.
>
> Usually due to a domain_realm mapping problem OR because the host does
> not resolve to a f.q.d.n name and the Kerb code has trouble mapping it
> to a realm correctly since it cannot find a domain.
>
> Also, the one incompatibility that you will find is that a Solaris KDC
> can only talk to a Solaris 'kadmin' client (and vice-versa) due to
> different RPC protocols used by MIT and Solaris KDC servers. So, if  
> your
> KDC is MIT, then you will have to administer it with the MIT kadmin  
> client.
> If its SEAM, then you must use the SEAM kadmin client.
>
>
>>> One other suggestion would be to remove the MIT installation from the
>>> Solaris 9 systems and use the supported Solaris Kerberos stuff, it
>>> will eliminate alot of confusion and mismatches like you are seeing.
>> Looks like I will try that next.  I didn't realize that Solaris 9 had  
>>  kerberos already installed, just assumed I need to get the MIT  
>> version  and install it.
>
> Ah, ok.  Follow up if you continue to have problems.  Also, look
> at sunsolve.sun.com and find the latest Solaris 9 SEAM patches.
> There have been several updates to the Solaris Kerberos stuff,  
> including
> improvements to the pam_krb5 module.
>
> -Wyllys
>
>
------------------------------------------------------------------------ 
---------------------------

C. J. Keist                     Email: cj.keist at engr.colostate.edu
UNIX/Network Manager            Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'"

More information about the Kerberos mailing list