kerberos and Windows 2008R2 - kinit: Key table entry not found while getting initial credentials

Mark Pröhl mark at mproehl.net
Fri Apr 29 09:34:13 EDT 2011 

Hi,

DES is disabled by default in windows 2008 r2. So if you do not need 
DES, then just create the keytab for stronger enryption types.  If you 
really need DES,  you have to configure your windows KDC to issue DES 
tickets. You should not disable preauthentication

Regards,

Mark Pröhl



On 04/28/2011 11:08 PM, Gomes, Charles wrote:
> Hello Kerberos List,
>
> I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 server.
> I've created a user on windows and used the ktpass to generate the Kerberos keytab:
> C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com at TESTDOMAIN.COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab
>
> I did make sure that "User Kerberos DES encryption types for this account" was checked.
> First I was getting:
> root at jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
> kinit: KDC has no support for encryption type while getting initial credentials
>
> So I've checked "Do not require Kerberos preauthentication" and I get:
> root at jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
> kinit: Key table entry not found while getting initial credentials
>
> Where should that key table entry be located ?
> I cannot go forward with this. Is there a way to get more verbose logging so I can troubleshoot this.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Klist
> root at jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com at TESTDOMAIN.COM (DES cbc mode with RSA-MD5)
>
>
>
>
>
> Cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TESTDOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> [realms]
> TESTDOMAIN.COM = {
>    kdc = server.testdomain.com:88
>    admin_server = server.testdomain.com:749
>    default_domain = testdomain.com
> }
>
> [domain_realm]
> .testdomain.com = TESTDOMAIN.COM
> testdomain.com = TESTDOMAIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
>     validate = true
> }
>
>
>
>
>
> DISCLAIMER:
> This e-mail, and any attachments thereto, is intended only for use by the addressee(s)named herein and
> may contain legally privileged and/or confidential information. If you are not the intended recipient of this
> e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachments
> thereto, is strictly prohibited. If you have received this in error, please immediately notify me and permanently
> delete the original and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free.
> The sender therefore does not accept liability for any errors or omissions in the contents of this message which
> arise as a result of e-mail transmission.
> NOTICE REGARDING PRIVACY AND CONFIDENTIALITY
> Knight Capital Group may, at its discretion, monitor and review the content of all e-mail communications.
>
> http://www.knight.com<http://www.knight.com/>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list