gss_acquire_cred - failed with "No key entry found"

Benjamin Kaduk kaduk at MIT.EDU
Wed Aug 28 22:31:24 EDT 2013

On Wed, 28 Aug 2013, letz.yaara wrote:

> Hi,
> Does gss_acquire_cred require the service principal name to be
> resolved to the current machine ?

The behavior of gss_acquire_cred is rather different depending on what 
cred_usage argument is passed (GSS_C_BOTH, GSS_C_INITIATE, or 
GSS_C_ACCEPT) ... the later messages make me suspect GSS_C_ACCEPT, but in 
future messages, please provide this information.

> I got the following minor error code (major was Failure):
> [2] [ERROR] [27/08/2013 13:23:26]  [display_status_type()] GSSAPI
> Minor error: *No key table entry found matching
> HTTP/* (code: 39756033)
> (No idea what is

It looks like the DNS PTR record for the host whose credentials are in 
place, from the kerberos library reverse-resolving the IP address that the 
name resolves to.

> I used gss_import_name with GSS_C_NT_HOSTBASED_SERVICE and the spn was
> HTTP at
> But it was resolved once I add to /etc/hosts the line -

It is probably better to use the actual IPI address of, not 
a localhost address.  In any case, I expect that setting rdns=false in the 
[libdefaults] section of krb5.conf on the machine will eliminate the need 
to override the reverse resolution via /etc/hosts.

> Do you know why? Before the upgrade it used to work without updating
> the /etc/hosts file

You did not specify which upgrade process broke things, I cannot make 
predictions without data.

-Ben Kaduk

More information about the krbdev mailing list