Key table entry not found
ms419@freezone.co.uk
ms419 at freezone.co.uk
Sat Apr 17 03:45:14 EDT 2004
Thanks for the suggestions ... I thought it might be the kvno - but I
checked:
---
kadmin.local: getprinc host/kas.ruz.lat
Principal: host/kas.ruz.lat at RUZ.LAT
Expiration date: [never]
Last password change: Sat Apr 10 01:05:38 PDT 2004
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Apr 10 01:05:38 PDT 2004 (root/admin at RUZ.LAT)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 8, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 8, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
---
kas:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 8 host/kas.ruz.lat at RUZ.LAT
2 8 host/kas.ruz.lat at RUZ.LAT
---
I triple checked: "kinit" on kas works. I can SSH using GSSAPI *from*
kas *to* any machine. But I can't connect from any machine to kas using
GSSAPI authentication. Depending on the service, I usually encounter:
"Key table entry not found".
Again, DNS checks out:
---
kas:~> host kas
kas.ruz.lat has address 192.168.179.9
kas:~> host 192.168.179.9
9.179.168.192.in-addr.arpa domain name pointer kas.ruz.lat.
---
What else could it be?
Thanks again!
Jack
On Apr 15, 2004, at 9:41 AM, Ken Hornstein wrote:
>> Since "kadmin" doesn't support cross realm authentication, I cannot
>> extract a keytab locally: "Ideally, you should extract each keytab
>> locally ... If this is not feasible, you should use an encrypted
>> session to send them across the network." How does one use an
>> encrypted
>> session to send a keytab across the network?
>
> You use your favorite file transfer utility, and you turn on
> encryption?
> E.g., krcp -x, Kerberos ftp by using the "private" command ... you
> get the idea.
>
>> I've tried extracting a keytab using "kadmin.local", then using "scp"
>> to send it to the appropriate machine. Unfortunately, I've encounter
>> errors: "Key table entry not found" I only encounter this error on
>> machines whose keytabs I haven't locally extracted - I suspect the two
>> are related?
>
> You've placed the keytab in the appropriate location? (usually
> /etc/krb5.keytab) Does the kvno in the keytab match the one in the
> KDC?
> Did you try re-running kinit and then connecting again?
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
More information about the Kerberos
mailing list