pamkrbval: KDC policy rejects request for this entry

Douglas E. Engert deengert at anl.gov
Tue Aug 26 15:17:31 EDT 2008



Richard Curtis wrote:
> Hi,
>   I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
> 
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/unix_client.domain.host.com at DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"
> 
> I am guessing this is more of a Windows/AD config issue, but thougt
> someone here might have seen this?

Your krb5.conf is saying use DES-CBC-CRC

You did not specify -DesOnly on the ktpass,
so I bet the krb5.keytab has a RC4-HMAC-NT type key.
If the HP can use RC4, try without the default_*_enctypes
Do you really need the ccache_type = 2 also?

The kvno is 23, so you must have been trying this for a while.
Did the keytabs get out of sync?

> 
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOMAIN.HOST.COM
> default_tgs_enctypes = DES-CBC-CRC
> default_tkt_enctypes = DES-CBC-CRC
> ccache_type = 2
> ticket_liftetime = 24000
> #dns_lookup_kdc = true
> 
> [realms]
> DOMAIN.HOST.COM = {
> kdc = 2003_dc.domain.host.com
> kpasswd_server = 2003_dc.domain.host.com:464
> }
> 
> [domain_realm]
> domain.host.com = DOMAIN.HOST.COM
> .domain.host.com = DOMAIN.HOST.COM
> 
> [logging]
> default = FILE:/var/adm/krb5lib.log
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kKDCmind.log
> 
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> 
> unix_client:/var/adm/syslog >pamkrbval -v
> 
>  Validating the pam configuration files
>  ---------- --- --- ------------- -----
> 
>  Validating the /etc/pam.conf file
> [LOG] : The /etc/pam.conf files permissions are fine
> [LOG] : Opened : /etc/pam.conf
> 
> [PASS] : The validation of config file: /etc/pam.conf passed
> 
> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
>            as libpam_updbe library is not configured
> 
>  Validating the kerberos config file
>  ---------- --- -------- ------ -----
> [PASS] : Initialization of kerberos passed
> 
>  Connecting to default Realm
>  ---------- -- ------- -----
> [LOG] : The default realm is : DOMAIN.HOST.COM
> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
> [PASS] : Default Realm is issuing tickets
> 
>  Validating the keytab entry for the host service principal
>  ---------- --- ------ ----- --- --- ---- ------- ---------
> [LOG] : Host unix_client,  aka unix_client.domain.host.com.
> [LOG] : The default keytab name is : /etc/krb5.keytab
> [LOG] : Keytab file /etc/krb5.keytab is present
> [LOG] : Permissions on /etc/krb5.keytab are correct.
> Keytab entry
> Principal: host
> Host     : unix_client.domain.host.com
> Realm    : DOMAIN.HOST.COM
> Version  : 23
> [LOG] : Pinging KDC to verify whether
> host/unix_client.domain.host.com at DOMAIN.HOST.COM exists
> pamkrbval: KDC policy rejects request for this entry
> [WARNING] : The keytab entry for the host service principal
> host/unix_client.domain.host.com at DOMAIN.HOST.COM is invalid
> [FAIL] : The keytab validation failed
> 
>  Validating the rc_host file for ownership
> -------- ------ ---- -------- ------ -----
> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
> 
> unix_client:/var/adm/syslog >ktutil -i
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>    1   23 host/unix_client.domain at DOMAIN.HOST.COM
> ktutil:
> ktutil:  unix_client:/var/adm/syslog >
> 
> 
> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> host/unix_client.domain.host.com
> kinit(v5): KDC policy rejects request while getting initial credentials
> 
> Thanks in advance for any help
> 
> Regards
> 
> Richard
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list