kinit: Key table entry not found while getting initial credentials
Will Fiveash
William.Fiveash at sun.com
Thu Nov 2 12:02:33 EST 2006
On Wed, Nov 01, 2006 at 09:25:38AM -0600, Douglas E. Engert wrote:
>
>
> scoco wrote:
> > Hi Kerberos experts,
> >
> > could anyone help me in addressing this issue since I am a T-O-T-A-L
> > newbie in Kerberos.
> >
> > I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1)
> > using a windows2003 Active Directory as KDC, and I am compelled to use
> > the credential of a user different from Solaris' user.
> >
>
> Never tried Solaris 8 kerberos against AD but Solaris 10 kerberos works
> well with AD. We have used MIT kerberos on all previous Solaris.
Thanks. Solaris 10 has full enctype support as well as TCP support
amongst other things that make it play better with AD.
> > Let's say I work with user appadm on Solaris and user
> > domuser at resource.corp in AD.
> >
> > AD administrator generated a keytab for my Solaris user in this way:
> >
>
> This is not needed. You are misinterpreting the "mapuser" of the ktpass.
> The ktpass is used for serivces, not for users. The "mapuser" points
> to an AD user type account, but the account is used for the service,
> like host/your.dns.domain at realm.
>
> You are using kerberos/user at realm, that does not look like a user
> or a service.
>
> > Ktpass -princ kerberos/domuser.resource.corp at RESOURCE.CORP -mapuser
> > domuser -pass [passwd of domuser] -out domuser.keytab
> >
> > and gave me the domuser.keytab file.
>
> Users don't normally have keytab files, only services like sshd,
> ftpd, rlogind telnetd that al use the same host service principal.
>
> But a user can have a keytab file, and the security risks are about the
> same as storing a password. Position of the keytab is almost as
> good as possing the password.
>
> >
> > I configured krb5.conf and stored the content of this keytab file in
> > /etc/krb5/krb5.keytab via ktutil:
> >
> > ktutil: rkt domuser.keytab
> > ktutil: l
> > slot KVNO Principal
> > ---- ----
> > --------------------------------------------------------------------------
> > 1 4 kerberos/domuser.resource.corp at RESOURCE.CORP
> > ktutil: wkt /etc/krb5/krb5.keytab
> > ktutil: q
> >
>
> If you application is trying to act as a user, you would not
> want to put the keytab in the system's keytab file that is used
> by root applications only. Put it in a seperate file.
I agree. /etc/krb5/krb5.keytab should only be readable by root and
contain service principal keys.
> > Now I think my krb5.conf is correct since I am able to get a TGT via
> > kinit in this way:
> > kinit kerberos/domuser.resource.corp at RESOURCE.CORP
> > then I enter domuser's password and with klist I can see the TGT.
> > But I need to obtain the credentials without entering a password since
> > the kinit command has to be put in the startup script of an
> > application.
>
> So the application is going to act as a user, and initiate sessions
> to some other service?
>
> So I tried this:
> >
> > appadm 99% kinit -k kerberos/domuser.resource.corp at RESOURCE.CORP
> > kinit: Key table entry not found while getting initial credentials
> >
> > :-S ...nothing useful found till now to explain this... what's wrong?
> > Any help appreciated.
>
> Could be a Solaris 8 SEAM problem.
What does klist -k show? Are you running as root?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list