Bizzare problem with authenticating a service principal with AD

Jason Testart jatestart at cs.uwaterloo.ca
Sun Mar 11 23:49:28 EDT 2007



Jeffrey Altman wrote:
> Jason Testart wrote:
>> I'm trying to get pam_krb5 working with an Active Directory domain.  It 
>> works when I don't have a krb5.keytab file but it doesn't when I do, 
>> since the verification of the TGT using the service principal fails with 
>> an error: "Key table entry not found".  The keytab file is simple as it 
>> only contains the "host" service principal for the Ubuntu Linux box that 
>> I am testing with.
> What enctype is the service ticket being encrypted with?

I used the default.  "ktpass /?" says that's RC4-HMAC-NT.

> 
> Does that enctype exist in the keytab?

"ArcFour with HMAC/md5".  Sounds like a match.

> 
> Does the kvno of the service ticket match the kvno of the entry in the
> keytab?

Yes.




More information about the Kerberos mailing list