Issue with Kerberos setting in Sun Solaris 10

Benjamin Kaduk kaduk at MIT.EDU
Mon Apr 22 16:27:59 EDT 2013


[putting the list back in the cc]

On Mon, 22 Apr 2013, Ray Vand wrote:

> Ben,
>
> kvno was 9 because I gave a new value in addent command.
>
> ktutil:  addent -password -p sapldap/ads.company.com at COMPANY.COM -k 9 -e DES-CBC-MD5

Ah, okay.  As I said earlier, I don't think this kvno will affect 'kinit 
-k', but is relevant when used as an acceptor.

> I created a new one with kvno 7 and tried it. Still getting initial 
> credentials error.

Right, I wouldn't expect that to change.

Some ways of generating a keytab will increment the kvno on the KDC, which 
will cause problems for existing keytabs; it sounds like that is not what 
is causing this problem.

> ktutil:  addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e DES-CBC-MD5
> Password for sapldap/ads.company.com@ COMPANY.COM:
> ktutil:  list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>   1    7  sapldap/ads.company.com@ COMPANY.COM
> ktutil:  wkt /tmp/ray.keytab
> ktutil:  q
>
> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab
>
> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM
> kinit(v5): Key table entry not found while getting initial credentials

I assume the space between '@' and "COMPANY.COM" is introduced while 
transcribing into email?  If it is present in the actual command line it 
may cause problems.

You never did say if you are using the Solaris integrated tools or an 
external installation of MIT kerberos.

-Ben


More information about the Kerberos mailing list