need help -- kinit (1.9.1) fails to process keytab

[Greg Hudson]

On Wed, 2011-06-29 at 23:42 -0400, Rex, Martin wrote:
> I've tried everything I can reasonably think of, but kinit -k
> always fails with the non-sensical error message
> "kinit: Key table entry not found while getting initial credentials"

You can probably get a better picture of the problem by setting the
environment variable KRB5_TRACE to a filename (or just /dev/stdout) for
the kinit command.

This error message ought to name the principal it didn't find, but for
complicated reasons the more specific message gets lost in some (common)
configurations.

> So if anything, kinit might tell me that it received something
> encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e"
> for the specified principal in the specified keytab

I think we can rule out a kvno mismatch.  The code path for kinit -k
doesn't look for a specific kvno in the keytab, and the error message
for that case would be different ("Key version number for principal in
key table is incorrect").

> Shouldn't kinit
> be in the perfect position, after having just successfully obtained
> a TGT for that user, to write out a perfect keytab that will
> work with "kinit -k" -- or otherwise tell me all necessary details
> about what I will have to type into tools like ktutil or what to
> supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k"
> what kinit without -k just succeeded doing?

At some point in the process, inside the library, the necessary
information would be on hand to write out a keytab entry for one
enctype.