FIXED: Key table entry not found

ms419@freezone.co.uk ms419 at freezone.co.uk
Sat Apr 17 14:27:53 EDT 2004


Thanks Jeff!

My distro created the following in "/etc/hosts":
---
127.0.0.1	kas	localhost
---
So "hostname -f" wasn't reporting the FQDN.
---
127.0.0.1	localhost
---
And now Kerberos works!

Thanks again!

Jack

On Apr 17, 2004, at 7:54 AM, Jeffrey Altman wrote:

> What does "hostname" say the machine name is?
>
>
> ms419 at freezone.co.uk wrote:
>> Thanks for the suggestions ... I thought it might be the kvno - but I
>> checked:
>> ---
>> kadmin.local:  getprinc host/kas.ruz.lat
>> Principal: host/kas.ruz.lat at RUZ.LAT
>> Expiration date: [never]
>> Last password change: Sat Apr 10 01:05:38 PDT 2004
>> Password expiration date: [none]
>> Maximum ticket life: 0 days 10:00:00
>> Maximum renewable life: 7 days 00:00:00
>> Last modified: Sat Apr 10 01:05:38 PDT 2004 (root/admin at RUZ.LAT)
>> Last successful authentication: [never]
>> Last failed authentication: [never]
>> Failed password attempts: 0
>> Number of keys: 2
>> Key: vno 8, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 8, DES cbc mode with CRC-32, no salt
>> Attributes:
>> Policy: [none]
>> ---
>> kas:~# ktutil
>> ktutil:  rkt /etc/krb5.keytab
>> ktutil:  list
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>>    1    8                 host/kas.ruz.lat at RUZ.LAT
>>    2    8                 host/kas.ruz.lat at RUZ.LAT
>> ---
>> I triple checked: "kinit" on kas works. I can SSH using GSSAPI *from*
>> kas *to* any machine. But I can't connect from any machine to kas 
>> using
>> GSSAPI authentication. Depending on the service, I usually encounter:
>> "Key table entry not found".
>>
>> Again, DNS checks out:
>> ---
>> kas:~> host kas
>> kas.ruz.lat has address 192.168.179.9
>> kas:~> host 192.168.179.9
>> 9.179.168.192.in-addr.arpa domain name pointer kas.ruz.lat.
>> ---
>> What else could it be?
>>
>> Thanks again!
>>
>> Jack
>>
>> On Apr 15, 2004, at 9:41 AM, Ken Hornstein wrote:
>>
>>>> Since "kadmin" doesn't support  cross realm authentication, I cannot
>>>> extract a keytab locally: "Ideally, you should extract each keytab
>>>> locally ... If this is not feasible, you should use an encrypted
>>>> session to send them across the network." How does one use an 
>>>> encrypted
>>>> session to send a keytab across the network?
>>>
>>>
>>> You use your favorite file transfer utility, and you turn on 
>>> encryption?
>>> E.g., krcp -x, Kerberos ftp by using the "private" command ... you
>>> get the idea.
>>>
>>>> I've tried extracting a keytab using "kadmin.local", then using 
>>>> "scp"
>>>> to send it to the appropriate machine. Unfortunately, I've encounter
>>>> errors: "Key table entry not found" I only encounter this error on
>>>> machines whose keytabs I haven't locally extracted - I suspect the 
>>>> two
>>>> are related?
>>>
>>>
>>> You've placed the keytab in the appropriate location?  (usually
>>> /etc/krb5.keytab)  Does the kvno in the keytab match the one in the 
>>> KDC?
>>> Did you try re-running kinit and then connecting again?
>>>
>>> --Ken
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
> -- 
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>



More information about the Kerberos mailing list