Issue with Kerberos setting in Sun Solaris 10

Benjamin Kaduk kaduk at MIT.EDU
Sun Apr 21 13:13:03 EDT 2013


On Fri, 19 Apr 2013, Ray Vand wrote:

> Then I moved the sapldap.keytab to my SAP Server in tmp directory
>
> # ktutil
> ktutil: rkt /tmp/sapldap
> ktutil: l -e
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>   1    7  sapldap/ads.company.com at COMPANY.COM (DES cvc mode with RSA-MD5)
>
> ktutil: wkt /etc/krb5.keytab
> ktutil: q
>
> Here is where I am getting error/having issue when running next command.
>
> # kinit -V -k sapldap/ads.company.com at COMPANY.COM
>
> kinit(v5): Key table entry not found while getting initial credentials
>
> but if I use it without -k option it working and It takes password

It is a bit perplexing.  Stock Solaris 10 is not an environment I am 
familiar with, but I can speak some about the related MIT krb5 codebase.

With a des-cbc-md5 key, a common problem would be the need to specify 
allow_weak_crypto=true in krb5.conf.  However, since password 
authentication works, that is unlikely to be the cause.

What I would try at this point is to use ktutil's addent subcommand to 
generate a keytab using the password (which is known to work).  It's 
probably best to use a separate keytab from /etc/krb5.keytab for this 
test, so that the different keytab entries can be told apart.  Then use 
the -t argument to kinit to specify a path to that new keytab.  If I 
remember correctly, the keytab entry's kvno field is not used when getting 
initiator credentials, so even if 'kinit -k -t' works, that is not a 
guarantee that the keytab will work for acceptor credentials, as in that 
case the kvno must be correct (that is, in agreement with the KDC (domain 
controller) database).

-Ben KAduk


More information about the Kerberos mailing list