Bizzare problem with authenticating a service principal with AD

Jason Testart jatestart at cs.uwaterloo.ca
Sun Mar 11 23:23:52 EDT 2007



Tom Yu wrote:
>>>>>> "Jason" == Jason Testart <jatestart at cs.uwaterloo.ca> writes:
> 
> Jason> I'm trying to get pam_krb5 working with an Active Directory domain.  It 
> Jason> works when I don't have a krb5.keytab file but it doesn't when I do, 
> Jason> since the verification of the TGT using the service principal fails with 
> Jason> an error: "Key table entry not found".  The keytab file is simple as it 
> Jason> only contains the "host" service principal for the Ubuntu Linux box that 
> Jason> I am testing with.
> 
> Jason> So, I figured I screwed-up somehow with the generation of the keytab 
> Jason> file using ktpass.exe.  However, I don't think I did.  When I run "klist 
> Jason> -k", copy the principal name from the output, and paste that principal 
> Jason> name to the end of "kinit -k", I still get the error:
> 
> Jason>    kinit(v5): Key table entry not found while getting initial credentials
> 
> Do your key version numbers match?

Yes, they do.  In AD, msDS-KeyVersionNumber is "2", and "klist -ke" 
gives a KVNO of 2.





More information about the Kerberos mailing list