On Fri, 19 Apr 2013, Ray Vand wrote: > Then I moved the sapldap.keytab to my SAP Server in tmp directory > > # ktutil > ktutil: rkt /tmp/sapldap > ktutil: l -e > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 7 sapldap/[email protected] (DES cvc mode with RSA-MD5) > > ktutil: wkt /etc/krb5.keytab > ktutil: q > > Here is where I am getting error/having issue when running next command. > > # kinit -V -k sapldap/[email protected] > > kinit(v5): Key table entry not found while getting initial credentials > > but if I use it without -k option it working and It takes password
It is a bit perplexing. Stock Solaris 10 is not an environment I am familiar with, but I can speak some about the related MIT krb5 codebase. With a des-cbc-md5 key, a common problem would be the need to specify allow_weak_crypto=true in krb5.conf. However, since password authentication works, that is unlikely to be the cause. What I would try at this point is to use ktutil's addent subcommand to generate a keytab using the password (which is known to work). It's probably best to use a separate keytab from /etc/krb5.keytab for this test, so that the different keytab entries can be told apart. Then use the -t argument to kinit to specify a path to that new keytab. If I remember correctly, the keytab entry's kvno field is not used when getting initiator credentials, so even if 'kinit -k -t' works, that is not a guarantee that the keytab will work for acceptor credentials, as in that case the kvno must be correct (that is, in agreement with the KDC (domain controller) database). -Ben KAduk ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
