kinit: Key table entry not found while getting initial credentials
Douglas E. Engert
deengert at anl.gov
Wed Nov 1 10:25:38 EST 2006
scoco wrote:
> Hi Kerberos experts,
>
> could anyone help me in addressing this issue since I am a T-O-T-A-L
> newbie in Kerberos.
>
> I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1)
> using a windows2003 Active Directory as KDC, and I am compelled to use
> the credential of a user different from Solaris' user.
>
Never tried Solaris 8 kerberos against AD but Solaris 10 kerberos works
well with AD. We have used MIT kerberos on all previous Solaris.
> Let's say I work with user appadm on Solaris and user
> domuser at resource.corp in AD.
>
> AD administrator generated a keytab for my Solaris user in this way:
>
This is not needed. You are misinterpreting the "mapuser" of the ktpass.
The ktpass is used for serivces, not for users. The "mapuser" points
to an AD user type account, but the account is used for the service,
like host/your.dns.domain at realm.
You are using kerberos/user at realm, that does not look like a user
or a service.
> Ktpass -princ kerberos/domuser.resource.corp at RESOURCE.CORP -mapuser
> domuser -pass [passwd of domuser] -out domuser.keytab
>
> and gave me the domuser.keytab file.
Users don't normally have keytab files, only services like sshd,
ftpd, rlogind telnetd that al use the same host service principal.
But a user can have a keytab file, and the security risks are about the
same as storing a password. Position of the keytab is almost as
good as possing the password.
>
> I configured krb5.conf and stored the content of this keytab file in
> /etc/krb5/krb5.keytab via ktutil:
>
> ktutil: rkt domuser.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> --------------------------------------------------------------------------
> 1 4 kerberos/domuser.resource.corp at RESOURCE.CORP
> ktutil: wkt /etc/krb5/krb5.keytab
> ktutil: q
>
If you application is trying to act as a user, you would not
want to put the keytab in the system's keytab file that is used
by root applications only. Put it in a seperate file.
> Now I think my krb5.conf is correct since I am able to get a TGT via
> kinit in this way:
> kinit kerberos/domuser.resource.corp at RESOURCE.CORP
> then I enter domuser's password and with klist I can see the TGT.
> But I need to obtain the credentials without entering a password since
> the kinit command has to be put in the startup script of an
> application.
So the application is going to act as a user, and initiate sessions
to some other service?
So I tried this:
>
> appadm 99% kinit -k kerberos/domuser.resource.corp at RESOURCE.CORP
> kinit: Key table entry not found while getting initial credentials
>
> :-S ...nothing useful found till now to explain this... what's wrong?
> Any help appreciated.
Could be a Solaris 8 SEAM problem.
> Thanks in advance! :D
> Sandro
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list