Bizzare problem with authenticating a service principal with AD

Douglas E. Engert deengert at anl.gov
Mon Mar 12 12:01:44 EDT 2007


You did not provide the host name, the default realm name in
the krb5.conf, the AD domain name or the ktpass command you used.
I have seen many people have problems with the names. If Tom's
or Jeff's suggestions don't help. have a look at the names.

Jason Testart wrote:
> I'm trying to get pam_krb5 working with an Active Directory domain.  It 
> works when I don't have a krb5.keytab file but it doesn't when I do, 
> since the verification of the TGT using the service principal fails with 
> an error: "Key table entry not found".  The keytab file is simple as it 
> only contains the "host" service principal for the Ubuntu Linux box that 
> I am testing with.
> 
> So, I figured I screwed-up somehow with the generation of the keytab 
> file using ktpass.exe.  However, I don't think I did.  When I run "klist 
> -k", copy the principal name from the output, and paste that principal 
> name to the end of "kinit -k", I still get the error:
> 
>    kinit(v5): Key table entry not found while getting initial credentials
> 
> I am ready to pull all of my hair out.  I ran strace on the invocation 
> of kinit, and it seems to be reading the keytab file properly, and I ran 
> tcpdump to see what's going on there.  While at one point I saw "preauth 
> required", turning off preauth in the AD Account settings for that 
> principal seems to have fixed that.
> 
> Does anybody have any ideas?  Could I be missing something very obvious?
> 
> Note: I have created host service principals for other hosts and the 
> "kinit -k <host principal>" works fine.  The other hosts are running 
> Solaris 8 with a locally built v1.6.  On the Linux platform, I am using 
> the Ubuntu/Debian package (patched v1.4.3, I think).  I am striving to 
> stick with pre-packaged software.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list