gss_acquire_cred - failed with "No key entry found"
Benjamin Kaduk
kaduk at MIT.EDU
Wed Aug 28 22:31:24 EDT 2013
On Wed, 28 Aug 2013, letz.yaara wrote:
> Hi,
>
> Does gss_acquire_cred require the service principal name to be
> resolved to the current machine ?
The behavior of gss_acquire_cred is rather different depending on what
cred_usage argument is passed (GSS_C_BOTH, GSS_C_INITIATE, or
GSS_C_ACCEPT) ... the later messages make me suspect GSS_C_ACCEPT, but in
future messages, please provide this information.
> I got the following minor error code (major was Failure):
>
> [2] [ERROR] [27/08/2013 13:23:26] [display_status_type()] GSSAPI
> Minor error: *No key table entry found matching
> HTTP/ptr-216-8-179-23.ptr.nextdimensioninc.com@* (code: 39756033)
>
>
> (No idea what is ptr-216-8-179-23.ptr.nextdimensioninc.com)
It looks like the DNS PTR record for the host whose credentials are in
place, from the kerberos library reverse-resolving the IP address that the
name resolves to.
> I used gss_import_name with GSS_C_NT_HOSTBASED_SERVICE and the spn was
> HTTP at bla.realm.org
>
> But it was resolved once I add to /etc/hosts the line -
>
> 127.0.1.1 bla.realm.org
It is probably better to use the actual IPI address of bla.realm.org, not
a localhost address. In any case, I expect that setting rdns=false in the
[libdefaults] section of krb5.conf on the machine will eliminate the need
to override the reverse resolution via /etc/hosts.
> Do you know why? Before the upgrade it used to work without updating
> the /etc/hosts file
You did not specify which upgrade process broke things, I cannot make
predictions without data.
-Ben Kaduk
More information about the krbdev
mailing list