Cross Realm Administration?

Douglas E. Engert deengert at
Wed Jan 26 10:28:03 EST 2011

On 1/25/2011 3:01 PM, Jeff draht wrote:
> Doug,
>          this is the issue I am having after creating a users keytab
> file;
> ktutil:  addent -password -p xf1adm at LAB-PASSHE.LCL -k 7 -e arcfour-
> hmac-md5
> Password for xf1adm at LAB-PASSHE.LCL:
> ktutil:  list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>     1    7                    xf1adm at LAB-PASSHE.LCL
> ktutil:  wkt /var/tmp/xf1adm-keytab-new-012511
> ktutil:  q
> root at yeoman:/usr/local/bin>klist -ke /var/tmp/xf1adm-keytab-new-012511
> ----
> --------------------------------------------------------------------------
>     7 xf1adm at LAB-PASSHE.LCL (ArcFour with HMAC/md5)
> Then;
> kinit –k –t /var/tmp/xf1adm-keytab-new-012511  xf1adm at LAB-PASSHE.LCL
> However, this function does not work;  it errors;
> kinit -k -t /var/tmp/xf1adm-keytab-new-012511 xf1adm at LAB-PASSHE.LCL
> kinit(v5): Key table entry not found while getting initial credentials

I ran into a problem like this in 2009, on Solaris 10 client to AD 2008
involving AES256.

I think what might be going on is the kinit sends the AS-REQ message
to the KDC with a list of supported enctypes. The KDC then picks the best
  enctype supported for that principal and returns the ticket.
If the client send AES, and the KDC supports it, then an AES key will
be needed. The problem is the kinit does not look to see what encytes
are available in the keytab. When using a password, kinit can generate
a key for any enctype from the password so this is not an issue.

The way to see if this is the case is to use Wireshark or other
network trace program on the client. You should see the KRB5 packets
and can see the AS-REQ being sent and the enctypes that are supported.
The AS-REP from the KDC will contain a ticket which is encrypted
for the use by the client principal. I bet it says it is looking
for something other the ArcFour, or the kvno does not match.

Ways around this:
Look at the msDS-SupportedEncryptionTypes attribute on the
xf1adm AD account. (Look at the msDS-KeyVersionNumber too.)

This could be changed in AD for the client to only support ArcFour.

Or the keytab entry could have AES256. But if you are using the SAP
client later, make sure SAP can support AES256 too, as it will need
to use the krbtgt ticket to get more tickets.

> Thanks and I will start using the link you suggested for my
> questions...
> Jeff
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list