kerberos and Windows 2008R2 - kinit: Key table entry not found while getting initial credentials

Gomes, Charles cgomes at knight.com
Thu Apr 28 17:08:55 EDT 2011 

Hello Kerberos List,

I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 server.
I've created a user on windows and used the ktpass to generate the Kerberos keytab:
C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com at TESTDOMAIN.COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab

I did make sure that "User Kerberos DES encryption types for this account" was checked.
First I was getting:
root at jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
kinit: KDC has no support for encryption type while getting initial credentials

So I've checked "Do not require Kerberos preauthentication" and I get:
root at jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
kinit: Key table entry not found while getting initial credentials

Where should that key table entry be located ?
I cannot go forward with this. Is there a way to get more verbose logging so I can troubleshoot this.















Klist
root at jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com at TESTDOMAIN.COM (DES cbc mode with RSA-MD5)





Cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TESTDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
TESTDOMAIN.COM = {
  kdc = server.testdomain.com:88
  admin_server = server.testdomain.com:749
  default_domain = testdomain.com
}

[domain_realm]
.testdomain.com = TESTDOMAIN.COM
testdomain.com = TESTDOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   validate = true
}





DISCLAIMER:
This e-mail, and any attachments thereto, is intended only for use by the addressee(s)named herein and
may contain legally privileged and/or confidential information. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachments
thereto, is strictly prohibited. If you have received this in error, please immediately notify me and permanently
delete the original and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free.
The sender therefore does not accept liability for any errors or omissions in the contents of this message which
arise as a result of e-mail transmission.
NOTICE REGARDING PRIVACY AND CONFIDENTIALITY
Knight Capital Group may, at its discretion, monitor and review the content of all e-mail communications.

http://www.knight.com<http://www.knight.com/>

More information about the Kerberos mailing list