pamkrbval: KDC policy rejects request for this entry

Richard Curtis ricurtis at
Tue Aug 26 14:35:55 EDT 2008

  I am trying to get an HPUX 11i box to authenticate against our
active directory (Windows 2003r2) domain with kerberos but I am
getting nowhere fast.

As per the docs I have, I have created a user account in active
directory, then used "ktpass -princ
host/ at DOMAIN.HOST.COM -mapuser unix_lient
-pass <pass> -out c:\krb5.keytab"
The keytab looks fine when I used ktutil, but I cannot do a kinit... I
keep getting "KDC policy rejects request for this entry"

I am guessing this is more of a Windows/AD config issue, but thougt
someone here might have seen this?

cat /etc/krb5.conf
default_realm = DOMAIN.HOST.COM
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_type = 2
ticket_liftetime = 24000
#dns_lookup_kdc = true

kdc =
kpasswd_server =


default = FILE:/var/adm/krb5lib.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kKDCmind.log

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

unix_client:/var/adm/syslog >pamkrbval -v

 Validating the pam configuration files
 ---------- --- --- ------------- -----

 Validating the /etc/pam.conf file
[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf

[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
           as libpam_updbe library is not configured

 Validating the kerberos config file
 ---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

 Connecting to default Realm
 ---------- -- ------- -----
[LOG] : The default realm is : DOMAIN.HOST.COM
[LOG] : KDC hosts for realm DOMAIN.HOST.COM
[LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
[LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
[PASS] : Default Realm is issuing tickets

 Validating the keytab entry for the host service principal
 ---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host unix_client,  aka
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
Keytab entry
Principal: host
Host     :
Version  : 23
[LOG] : Pinging KDC to verify whether
host/ at DOMAIN.HOST.COM exists
pamkrbval: KDC policy rejects request for this entry
[WARNING] : The keytab entry for the host service principal
host/ at DOMAIN.HOST.COM is invalid
[FAIL] : The keytab validation failed

 Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

unix_client:/var/adm/syslog >ktutil -i
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1   23 host/unix_client.domain at DOMAIN.HOST.COM
ktutil:  unix_client:/var/adm/syslog >

unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
kinit(v5): KDC policy rejects request while getting initial credentials

Thanks in advance for any help



More information about the Kerberos mailing list