need help -- kinit (1.9.1) fails to process keytab
Greg Hudson
ghudson at MIT.EDU
Thu Jun 30 00:52:52 EDT 2011
On Wed, 2011-06-29 at 23:42 -0400, Rex, Martin wrote:
> I've tried everything I can reasonably think of, but kinit -k
> always fails with the non-sensical error message
> "kinit: Key table entry not found while getting initial credentials"
You can probably get a better picture of the problem by setting the
environment variable KRB5_TRACE to a filename (or just /dev/stdout) for
the kinit command.
This error message ought to name the principal it didn't find, but for
complicated reasons the more specific message gets lost in some (common)
configurations.
> So if anything, kinit might tell me that it received something
> encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e"
> for the specified principal in the specified keytab
I think we can rule out a kvno mismatch. The code path for kinit -k
doesn't look for a specific kvno in the keytab, and the error message
for that case would be different ("Key version number for principal in
key table is incorrect").
> Shouldn't kinit
> be in the perfect position, after having just successfully obtained
> a TGT for that user, to write out a perfect keytab that will
> work with "kinit -k" -- or otherwise tell me all necessary details
> about what I will have to type into tools like ktutil or what to
> supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k"
> what kinit without -k just succeeded doing?
At some point in the process, inside the library, the necessary
information would be on hand to write out a keytab entry for one
enctype.
More information about the Kerberos
mailing list