Bizzare problem with authenticating a service principal with AD
Jason Testart
jatestart at cs.uwaterloo.ca
Sun Mar 11 23:23:52 EDT 2007
Tom Yu wrote:
>>>>>> "Jason" == Jason Testart <jatestart at cs.uwaterloo.ca> writes:
>
> Jason> I'm trying to get pam_krb5 working with an Active Directory domain. It
> Jason> works when I don't have a krb5.keytab file but it doesn't when I do,
> Jason> since the verification of the TGT using the service principal fails with
> Jason> an error: "Key table entry not found". The keytab file is simple as it
> Jason> only contains the "host" service principal for the Ubuntu Linux box that
> Jason> I am testing with.
>
> Jason> So, I figured I screwed-up somehow with the generation of the keytab
> Jason> file using ktpass.exe. However, I don't think I did. When I run "klist
> Jason> -k", copy the principal name from the output, and paste that principal
> Jason> name to the end of "kinit -k", I still get the error:
>
> Jason> kinit(v5): Key table entry not found while getting initial credentials
>
> Do your key version numbers match?
Yes, they do. In AD, msDS-KeyVersionNumber is "2", and "klist -ke"
gives a KVNO of 2.
More information about the Kerberos
mailing list