Key table entry not found?

Matthew M. DeLoera mdeloera at exacq.com
Thu Apr 26 11:15:23 EDT 2012 

Hello everyone,

Running into a hassle, and not sure what else I should look at. I hope someone might have some suggestions for what else I should investigate. This is a test I'm trying to execute, not a production environment of any sort. Apologies if this is too much info.

Generated keytab with ktpass in Windows Server 2008:

ktpass -princ EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM -mapuser deloeraanalog at HOOCH.EXACQ.COM -pass deloeraanalog -out deloeraanalog.keytab -crypto all -ptype KRB5_NT_PRINCIPAL

Got output:

Output keytab to deloeraanalog.keytab:
Keytab version: 0x502
keysize 77 EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0xd0f2046df18f76d9)
keysize 77 EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0xd0f2046df18f76d9)
keysize 85 EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (0x2f33b202c28427b3bdfbf738b5
0fd991)
keysize 101 EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM ptype 1 (KRB5_NT_
PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0x633ef9c2f07e34c0e5df2c
fc2a496c6e28050ea730a49c93ddbca52908e15b4e)
keysize 85 EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0xbc313b5d9bc70698fe6f6d3
9dea2859a)

Running my server app in Ubuntu 10.04 (using gssglue). Running my client app in WinXP. I can successfully log into the domain from the WinXP machine, and I can successfully kinit in Linux, so as far as I can tell, basic realm config (krb5.conf) seems fine.

My client app gets the TGT, and successfully requests the SPN (EDVR/deloeraanalog.hooch.exacq.com at HOOCH.EXACQ.COM). My server app passes the token to gss_acquire_cred, which fails with "key table entry not found."

As far as I can tell, the SPN looks like it's spelled correctly. I Wiresharked and verified the SPN and kvno I saw there, and checked on the Linux machine with kinit -k. I see version 5 returned by AD/KDC to my client, I see version 5 in the keytab, and ktpass displayed 5 like I copy-pasted above. I also saw enctype rc4-hmac returned to my client, and verified it's in the keytab. So as far as I can tell, both kvno and enctype seem consistent everywhere. Verified etype 0x17 in the above ktpass output, and decimal 23 in the TGT-REP to my client.

Short of trying a much shorter SPN, I'm not sure what else to check. Apologies if I'm missing something really obvious. I don't see my Linux machine attempting any DNS queries (running Wireshark) so I assume DNS is not an issue for me?

Any ideas?

Regards,
- Matthew

More information about the krbdev mailing list