Issue with Kerberos setting in Sun Solaris 10
Benjamin Kaduk
kaduk at MIT.EDU
Sun Apr 21 13:13:03 EDT 2013
On Fri, 19 Apr 2013, Ray Vand wrote:
> Then I moved the sapldap.keytab to my SAP Server in tmp directory
>
> # ktutil
> ktutil: rkt /tmp/sapldap
> ktutil: l -e
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 7 sapldap/ads.company.com at COMPANY.COM (DES cvc mode with RSA-MD5)
>
> ktutil: wkt /etc/krb5.keytab
> ktutil: q
>
> Here is where I am getting error/having issue when running next command.
>
> # kinit -V -k sapldap/ads.company.com at COMPANY.COM
>
> kinit(v5): Key table entry not found while getting initial credentials
>
> but if I use it without -k option it working and It takes password
It is a bit perplexing. Stock Solaris 10 is not an environment I am
familiar with, but I can speak some about the related MIT krb5 codebase.
With a des-cbc-md5 key, a common problem would be the need to specify
allow_weak_crypto=true in krb5.conf. However, since password
authentication works, that is unlikely to be the cause.
What I would try at this point is to use ktutil's addent subcommand to
generate a keytab using the password (which is known to work). It's
probably best to use a separate keytab from /etc/krb5.keytab for this
test, so that the different keytab entries can be told apart. Then use
the -t argument to kinit to specify a path to that new keytab. If I
remember correctly, the keytab entry's kvno field is not used when getting
initiator credentials, so even if 'kinit -k -t' works, that is not a
guarantee that the keytab will work for acceptor credentials, as in that
case the kvno must be correct (that is, in agreement with the KDC (domain
controller) database).
-Ben KAduk
More information about the Kerberos
mailing list