Bizzare problem with authenticating a service principal with AD
Jason Testart
jatestart at cs.uwaterloo.ca
Sun Mar 11 22:17:17 EDT 2007
I'm trying to get pam_krb5 working with an Active Directory domain. It
works when I don't have a krb5.keytab file but it doesn't when I do,
since the verification of the TGT using the service principal fails with
an error: "Key table entry not found". The keytab file is simple as it
only contains the "host" service principal for the Ubuntu Linux box that
I am testing with.
So, I figured I screwed-up somehow with the generation of the keytab
file using ktpass.exe. However, I don't think I did. When I run "klist
-k", copy the principal name from the output, and paste that principal
name to the end of "kinit -k", I still get the error:
kinit(v5): Key table entry not found while getting initial credentials
I am ready to pull all of my hair out. I ran strace on the invocation
of kinit, and it seems to be reading the keytab file properly, and I ran
tcpdump to see what's going on there. While at one point I saw "preauth
required", turning off preauth in the AD Account settings for that
principal seems to have fixed that.
Does anybody have any ideas? Could I be missing something very obvious?
Note: I have created host service principals for other hosts and the
"kinit -k <host principal>" works fine. The other hosts are running
Solaris 8 with a locally built v1.6. On the Linux platform, I am using
the Ubuntu/Debian package (patched v1.4.3, I think). I am striving to
stick with pre-packaged software.
More information about the Kerberos
mailing list