f



kprop: Key table entry not found while getting initial ticket

I try to take good notes so that I can reproduce my problems and
successes.  This week is the first time I have ever touched kerberos.  I
am using Red Hat ES3 and the default rpms.

The short of it:
kdb5_util dump /var/kerberos/krb5kdc/dump
kprop -f /var/kerberos/krb5kdc/dump mail.eamc.net
kprop: Key table entry not found while getting initial ticket

Now what?

My guess is that I am not asking for the correct ticket for kpropd.  A
normal inetd.conf entry would be:
krb5_prop  stream tcp nowait root /usr/kerberos/sbin/kpropd kpropd

My thinking is that the second kpropd is my principal.  However, my
xinetd entry does not.  I have tried it both ways so am sending
everything I have to the list.

I have also changed my logging from the basic stuff in RH to:
	kdc = SYSLOG:INFO:LOCAL1
	admin_server = SYSLOG:INFO:LOCAL2
hoping I would get more debug information, but no dice.

I have googled, read the docs in /usr/share/doc/krb5-server/ and done
this twice.  I am very frustrated and would appreciate any help.

# cat /etc/xinetd.d/krb5_prop
# 2004-01-27  Jud Bishop
# description:  kpropd is the propagation daemon for Kerberos
service krb5_prop
{
        flags           = KEEPALIVE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/kpropd
#       server          = /usr/kerberos/sbin/kpropd kpropd
#        server_args     = kpropd
        enable          = yes
}


How I got here:
Make sure you have NTP running and the times are close.

Make sure your /etc/hosts files are correct. 
On the master:
cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost blues kerberos
172.16.1.56     blues.eamc.net  kerberos.eamc.net kerberos

On the slave:
cat /etc/hosts
127.0.0.1               localhost.localdomain localhost mail kerberos-1
172.16.1.55             mail.eamc.net kerberos-1.eamc.net mail
kerberos-1

Make sure your DNS entries are correct, both forward and reverse:
eamc.net.               A       172.16.1.110
www                     CNAME   eamc.net.
mail                    A       172.16.1.55
blues                   A       172.16.1.56
webmail                 CNAME   blues
; Kerberos Stuff
kerberos                CNAME   blues
kerberos-1              CNAME   mail
;ldap                   CNAME   blues
;ldap-1
; Kerberos master setup
_kerberos               TXT     "EAMC.NET"
_kerberos-master._udp   SRV     0 0 88 kerberos
_kerberos-adm._tcp      SRV     0 0 749 kerberos
_kpasswd._udp           SRV     0 0 464 Kerberos
; Round-robin setup
_kerberos._udp          SRV     0 0 88 kerberos
_kerberos._udp          SRV     0 0 750 kerberos
;                       SRV     0 0 88 kerberos-1
;                       SRV     0 0 88 kerberos-2
_ldap._tcp.eamc.net     SRV     0 0 389 ldap
;                       SRV     0 0 389 ldap-1


Edit edit the files listed below and change everything from 
EXAMPLE.COM/example.com to your domain name, make sure to preserve the 
CAPS/small case as this matters.
/etc/krb5.conf
/etc/krb.conf
/etc/krb.realms
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/kadm5.acl

Now it's time to create the new realm.
master# kdb5_util create -r EAMC.NET -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm
'EAMC.NET',
master key name 'K/M@EAMC.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

master# kadmin.local
Authenticating as principal root/admin@EAMC.NET with password.
kadmin.local:  listprincs
K/M@EAMC.NET
kadmin/admin@EAMC.NET
kadmin/changepw@EAMC.NET
kadmin/history@EAMC.NET
krbtgt/EAMC.NET@EAMC.NET

Creates:
principal
principal.kadm5
principal.kadm5.lock
principal.ok

mater# kadmin.local
Authenticating as principal root/admin@EAMC.NET with password.
kadmin.local: addprinc root/admin@EAMC.NET
kadmin.local: addprinc misjlb/admin@EAMC.NET
kadmin.local: addprinc admin/admin@EAMC.NET

Grant access to the administrative control list for our new users,
misjlb and root.
master# cat /var/kerberos/krb5kdc/kadm5.acl 
root/admin@EAMC.NET     *
misjlb/admin@EAMC.NET   *

Restart kadmind to make the changes take effect.
master# /etc/init.d/kadmin restart
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]

kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin/changepw
Entry for principal kadmin/admin with kvno 5, encryption type Triple DES
cbc mode with HMAC/sha1 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 5, encryption type DES cbc
mode with CRC-32 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5, encryption type DES cbc
mode with CRC-32 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:

master# kadmin
Authenticating as principal misjlb/admin@EAMC.NET with password.
Enter password:
kadmin:

Now let's add a day to day user.
kadmin.local: addprinc misjlb/@EAMC.NET
Enter password for principal "misjlb@EAMC.NET":
Re-enter password for principal "misjlb@EAMC.NET":
Principal "misjlb@EAMC.NET" created.

Slave propogation..
Install Kerberos on the slave boxes.  On both the master and slave add
the slave kdc to the [realms] stanza in /etc/krb5.conf

[realms]
 EAMC.NET = {
  kdc = blues.eamc.net:88
  kdc = mail.eamc.net:88
  admin_server = blues.eamc.net:749
  default_domain = eamc.net
 }

And add the slave to /etc/krb.conf
EAMC.NET
EAMC.NET        blues.eamc.net:88
EAMC.NET        mail.eamc.net:88
EAMC.NET        blues.eamc.net:749 admin server

slave# kadmin
Authenticating as principal root/admin@EAMC.NET with password.
kadmin: Cannot contact any KDC for requested realm while initializing
kadmin interface

OK.  Let's just try to get a ticket...
slave# kinit root/admin@EAMC.NET
kinit(v5): Cannot contact any KDC for requested realm while getting
initial credentials

Looks like we hav firewall problems...
Let's run this wide open while we test, then we'll add the following
ports and test again to make sure it works through the firewall.
Ports to open in the future:
88	tcp/udp		authentication
389	
464
749	tcp/udp		slave propagation
750
754			slave propagation
2105			eklogin


master# /etc/init.d/iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]

slave# /etc/init.d/krb5kdc status
krb5kdc is stopped
slave# /etc/init.d/kadmin status
kadmind is stopped

slave# kinit
kinit(v5): Client not found in Kerberos database while getting initial
credentials

I'll bet we need to add our pricipal data since our host is not yet in
the database:
slave# kinit root/admin@EAMC.NET
Password for root/admin@EAMC.NET:
slave#

We got a ticket.

slave# kadmin
Authenticating as principal root/admin@EAMC.NET with password.
Enter password:
kadmin:

We are in!

Now continuing the on the slave...
kadmin:  listprincs
K/M@EAMC.NET
admin/admin@EAMC.NET
kadmin/admin@EAMC.NET
kadmin/changepw@EAMC.NET
kadmin/history@EAMC.NET
krbtgt/EAMC.NET@EAMC.NET
misjlb/admin@EAMC.NET
misjlb@EAMC.NET
root/admin@EAMC.NET
kadmin:  addprinc -randkey host/mail.eamc.net
WARNING: no policy specified for host/mail.eamc.net@EAMC.NET; defaulting
to no policy
Principal "host/mail.eamc.net@EAMC.NET" created.
kadmin:  ktadd host/mail.eamc.net
Entry for principal host/mail.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  listprincs
K/M@EAMC.NET
admin/admin@EAMC.NET
host/mail.eamc.net@EAMC.NET
kadmin/admin@EAMC.NET
kadmin/changepw@EAMC.NET
kadmin/history@EAMC.NET
krbtgt/EAMC.NET@EAMC.NET
misjlb/admin@EAMC.NET
misjlb@EAMC.NET
root/admin@EAMC.NET
kadmin:

And on the master.
addprinc -randkey host/blues.eamc.net
WARNING: no policy specified for host/blues.eamc.net@EAMC.NET;
defaulting to no policy
Principal "host/blues.eamc.net@EAMC.NET" created.
kadmin:  ktadd host/mail.eamc.net
Entry for principal host/mail.eamc.net with kvno 4, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 4, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:

Now create the file /var/kerberos/krb5kdc/kpropd.acl that allows
connection from the master to the slaves.
#cat /var/kerberos/krb5kdc/kpropd.acl
host/blues.eamc.net@EAMC.NET
host/mail.eamc.net@EAMC.NET

On both master and slave set up /etc/xinetd.d/krb5_prop and restart.
# /etc/init.d/xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]
#

master# kdb5_util dump /var/kerberos/krb5kdc/dump
master# kprop -f /var/kerberos/krb5kdc/dump mail.eamc.net
kprop: Key table entry not found while getting initial ticket
Now what?

 
THE FOLLOWING IS FOR REPLICATION AND WAS MY FIRST TRY
THIS IS FOR DNS BASED AND DID NOT WORK 
  Prepare for slave KDCs.
We are going to set these up according to install guide because they
allow us
to easily switch the master and slave servers.  Maintenance can be a
pain on 
a box that that must have five 9s.  I also alias all of the names in DNS
so 
that we can change the names easily.

The hosts are kerberos.eamc.net and kerberos1.eamc.net, kerberos is the
primary
and kerberos1 is the slave.

kadmin
Authenticating as principal root/admin@EAMC.NET with password.
Enter password:
kadmin:  addprinc -randkey host/kerberos.eamc.net
WARNING: no policy specified for host/kerberos.eamc.net@EAMC.NET;
defaulting to no policy
Principal "host/kerberos.eamc.net@EAMC.NET" created.

kadmin:  addprinc -randkey host/kerberos-1.eamc.net
WARNING: no policy specified for host/kerberos-1.eamc.net@EAMC.NET;
defaulting to no policy
Principal "host/kerberos-1.eamc.net@EAMC.NET" created.

kadmin.local:  addprinc -randkey host/mail.eamc.net
WARNING: no policy specified for host/mail.eamc.net@EAMC.NET; defaulting
to no policy
Principal "host/mail.eamc.net@EAMC.NET" created.

kadmin.local:  addprinc -randkey host/webmail.eamc.net
WARNING: no policy specified for host/webmail.eamc.net@EAMC.NET;
defaulting to no policy
Principal "host/webmail.eamc.net@EAMC.NET" created.

ktadd kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 4, encryption type Triple DES
cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type DES cbc
mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kadmin/changepw with kvno 4, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kadmin/changepw with kvno 4, encryption type DES cbc
mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

kadmin.local:  ktadd host/kerberos.eamc.net
Entry for principal host/kerberos.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/kerberos.eamc.net with kvno 3, encryption type
DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
NOTE: Make sure that the file listed at the end of the ktadd command
matches the entry in /var/kerberos/krb5kdc/kdc.conf
or you will get this error

Create kpropd.acl with entries for both Kerberos boxes.
# cat /var/kerberos/krb5kdc/kpropd.acl
host/kerberos.eamc.net@EAMC.NET
host/kerberos-1.eamc.net@EAMC.NET

Set up xinetd for access.
# cat krb5_prop 
# 2004-01-27  Jud Bishop
# description:  kpropd is the propagation daemon for Kerberos
service krb5_prop
{
        flags           = KEEPALIVE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/kpropd
#        server_args     = kpropd
        enable          = yes
}

# cat eklogin
# 2004-01-27 Jud Bishop
# Turned this on.
# description: The encrypting kerberized rlogin server accepts rlogin
sessions \
#              authenticated and encrypted with Kerberos 5.
service eklogin
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/klogind
        server_args     = -e -5
        disable          = no
}

And restart xinetd.
# service xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]

On the slave KDC copy over the following files from the master:
/var/kerberos/krb5kdc/kpropd.acl
/var/kerberos/krb5kdc/kadm5.acl
/var/kerberos/krb5kdc/kdc.conf
/etc/krb5.conf
/etc/xinetd.d/krb5_prop
/etc/xinetd.d/eklogin

Restart xinetd on the slave.
# service xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]


Test one of the slave KDCs.
# kadmin
Authenticating as principal root/admin@EAMC.NET with password.
Enter password:


kprop: Client not found in Kerberos database while getting initial
ticket
Make sure you have 

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface


Extract the host keytabs for the KDCs on the slaves.
kadmin: ktadd host/kerberos-1.eamc.net
Entry for principal host/kerberos-1.eamc.net with kvno 3, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/kerberos-1.eamc.net with kvno 3, encryption
type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd host/mail.eamc.net
Entry for principal host/mail.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd host/webmail.eamc.net
Entry for principal host/mail.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  listprincs
K/M@EAMC.NET
admin/admin@EAMC.NET
host/kerberos-1.eamc.net@EAMC.NET
host/kerberos.eamc.net@EAMC.NET
host/mail.eamc.net@EAMC.NET
host/webmail.eamc.net@EAMC.NET
kadmin/admin@EAMC.NET
kadmin/changepw@EAMC.NET
kadmin/history@EAMC.NET
krbtgt/EAMC.NET@EAMC.NET
misjlb/admin@EAMC.NET
root/admin@EAMC.NET
kadmin: exit

Propagate the database.
On the master:
# kdb5_util dump /var/kerberos/krb5kdc/slave_data_trans






________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
1/31/2004 12:24:47 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
2888 Views

Similar Articles

[PageSpeed] 49

Reply:

Similar Artilces:

kerberos and Windows 2008R2
Hello Kerberos List, I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se= rver. I've created a user on windows and used the ktpass to generate the Kerberos= keytab: C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.= COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K= RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab I did make sure that "User Kerberos DES encryption types for this account" = was checked. First I was getting: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: KDC has no support for encryption type while getting initial credent= ials So I've checked "Do not require Kerberos preauthentication" and I get: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: Key table entry not found while getting initial credentials Where should that key table entry be located ? I cannot go forward with this. Is there a way to get more verbose logging s= o I can troubleshoot this. Klist root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------------------------= ---- 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES c= bc mode with RSA-MD5) Cat /etc/krb5.conf [logging] default =3D FILE...

kinit: Key table entry not found while getting initial credentials
Hi Kerberos experts, could anyone help me in addressing this issue since I am a T-O-T-A-L newbie in Kerberos. I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1) using a windows2003 Active Directory as KDC, and I am compelled to use the credential of a user different from Solaris' user. Let's say I work with user appadm on Solaris and user domuser@resource.corp in AD. AD administrator generated a keytab for my Solaris user in this way: Ktpass -princ kerberos/domuser.resource.corp@RESOURCE.CORP -mapuser domuser -pass [passwd of domuser] -out domuser.keytab and gave me the domuser.keytab file. I configured krb5.conf and stored the content of this keytab file in /etc/krb5/krb5.keytab via ktutil: ktutil: rkt domuser.keytab ktutil: l slot KVNO Principal ---- ---- -------------------------------------------------------------------------- 1 4 kerberos/domuser.resource.corp@RESOURCE.CORP ktutil: wkt /etc/krb5/krb5.keytab ktutil: q Now I think my krb5.conf is correct since I am able to get a TGT via kinit in this way: kinit kerberos/domuser.resource.corp@RESOURCE.CORP then I enter domuser's password and with klist I can see the TGT. But I need to obtain the credentials without entering a password since the kinit command has to be put in the startup script of an application. So I tried this: appadm 99% kinit -k kerberos/domuser.resource.corp@RESOURCE.CORP kinit: Key table entry not found while getting initial credentials :-S ...nothing us...

aklog:Key table entry not found while getting AFS tickets
I an trying to automatically obtain the AFS tokens upon login on a Mac 10.2.6 system. I have successfully configured the kerberos v5 and the OpenAFS 1.2.10 clients. I can login with kerberos and successfully verify its ticket with the klist command. I can also execute klog, obtain an AFS token and sucessfully access my AFS space. However, if I login with kerberos and try to execute "aklog", I receive the following messages: aklog: Couldn't get asu.edu AFS tickets: aklog:Key table entry not found while getting AFS tickets Any ideas on how to resolve this problem? Thanks! James ...

kinit: Key table entry not found while getting initial credentials #2
Hello newsgroup, We followed the instructions on http://grolmsnet.de/kerbtut/ kinit -k -t /etc/apache2/httpotrskeytab OTRS/ server.test.local@TEST.LOCAL produces the following error: kinit: Key table entry not found while getting initial credentials we are using mit kerberos 1.9.1 on sles10 we created the keytabfile on windows 2008 r2 server with the following command: ktpass -princ OTRS/server.test.local@TEST.LOCAL -mapuser httpotrs@TEST.LOCAL -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass secretpassword -out c:\temp\httpotrskeytab we copied the file to the linux server to /etc/apache2 directory manual ticket creation works fine: server:/ # kinit OTRS/server.test.local Password for OTRS/server.test.local@TEST.LOCAL: server:/ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: OTRS/server.test.local@TEST.LOCAL Valid starting Expires Service principal 06/07/11 13:40:15 06/07/11 23:40:15 krbtgt/TEST.LOCAL@TEST.LOCAL renew until 06/08/11 13:40:15 server:/ # kvno OTRS/server.test.local@TEST.LOCAL OTRS/server.test.local@TEST.LOCAL: kvno =3D 11 any ideas what went wrong with our installation? G=FCnter g� <guenter.huerkamp@gmail.com> writes: > Hello newsgroup, > > We followed the instructions on http://grolmsnet.de/kerbtut/ > > > kinit -k -t /etc/apache2/httpotrskeytab OTRS/ > server.test.local@TEST.LOCAL > produces the following error: > kinit: Key table entry not found while getting initial credenti...

"Key table entry not found while verifying ticket for server"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig07FDE7C699B5FF20AD258797 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Just added a new system tonight to our Kerberos realm, and was getting the following error when ksu'ing: "ksu: Key table entry not found while verifying ticket for server" Tried Googling for the error to no avail; what is the meaning of this error and how do I clear it? Best Wishes - Peter --=20 Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" --------------enig07FDE7C699B5FF20AD258797 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFGtXWzPtVx9OgEjQgRAve6AJ97hWoo/FDyvCC27oHOamy1UiN6TQCfbcjm 8b550EYBPn8jKX8rHMDtmME= =znqF -----END PGP SIGNATURE----- --------------enig07FDE7C699B5FF20AD258797-- ...

Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found)
Hi guys, I'm working about 3 days at this problem and I can't fix it and now I have no more ideas: Customers environment: Windowsdomain with DC where all Users are: contoso.local Sless11 for Webapplication is in a domain: contoso.lan (this is not a Windowsdomain - just the server is configured for this And thats the problem. I don't know - how to manage these two domains. URL to access to the Webapplication is: When I now try to access from a Windowsmachine wich is in the Domain contoso.local at URL http://sless11.contoso.lan/webapp there comes a 401 from the apach...

Key table entry not found
Hello, I'm setting up a test KDC running on Solaris 9. The version I'm running is 5.1.3.1. I have successfully installed and setup my KDC server. I have tested it out on RH9 and everything is working there, as in being authenticated and such. I'm now trying to get kerberos authentication to work on another Solaris 9 box. But am running into problems. On the Solaris 9 box I have modified the pam.conf file to kerberos, copied the krb5.conf file from my kdc and ran kadmin as follows kadmin - admin/admin : ktadd host/machine_name.domain : quit When I tried to telnet into the system I got denied, the message in /var/adm/messages on the client box said something about "Bad encryption type". I found on the web to do ktadd the following: kadmin -p admin/admin : ktremove host/machine_name.domain : ktadd -e des-cbc-crc:normal host/machine_name.domain : quit This got rid of the "Bad encryption type" error, but I am now getting the following error in the messages file: "Key table entry not found". I don't know if this is saying that its not finding the machine keytab or my UID on the KDC server? Does anyone have any help here? Thanks... ------------------------------------------------------------------------ --------------------------- C. J. Keist Email: cj.keist@engr.colostate.edu UNIX/Network Manager Phone: 970-491-0630 Engineering Network ...

key table entry not found #2
Hello , I have Virtual Network configured to use Kerberos authentication.The setup is as follows: Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com; Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com; Windows XP Prof. (client) (FQDN) zdravko.lab.com; They are in the DNS lookup zone.I create one test user account for accessing the client machine under given domain(lab.com).The user name is "achimtest1" and its password never expires,and it's not going to be prompted for changing.After that I create one "dummy" user which will be used for SPN(service principal name mapping to it).It's called "http-test" and the same flags are used as in "achimtest1" user + one more:"This account supports AES 256 bit encryption".I continued with creating the keytab file: c:\>ktpass /princ HTTP/debian.lab.com@LAB.COM /mapuser http-test@lab.com/pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_SRV_HST /out http-test.keytab the keytab is successfully created and I have checked it with the following command:c:\>setspn -L http-test->I have the service principal name:HTTP/ debian.lab.com registered to it.I copy the "http-test.keytab" file via pscp to the Debian box in /etc/apache2/keytab/ directory.In /etc/hosts file in Debian I've deleted "127.0.0.1" line and replaced it with:"192.168.100.103 debian.lab.com debian";192.168.100.103 is the linux box's IP. In /etc/resolf...

Key table entry not found #3
Hi the list, I have two servers. One hosting a kerberos master and ldap master (server.lan) , one other hosting a kerberos slave and ldap replica (replica.lan). Kerberos is used by ldap for authentication SASL/GSSAPI. The kerberos realm is SERVER.LAN. All was running. But since some time, i get error messages with ldapsearch command. With the debug activated, i get the following message of ldapsearch: server:~ admin$ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan .... res_errno: 80, res_error:<SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)>, res_matched:<> .... (Remark : As information i provide the entire debug at the end of this message) Because of the message "keytable entry not found", i tried to use kadmin and check if principle with root exists. But by using kadmin i get now this message : server:~ admin$ kadmin -proot@SERVER.LAN Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied Authenticating as principalroot@SERVER.LAN with password. Password forroot@SERVER.LAN: kadmin: Communication failure with server while initializing kadmin interface server:~ admin$ I check the logfile owner, group owner, and permission. Then i compared with one other kerberos server. Permission and owner was different. I set permission identically. But nothing was changed. With kadmin.local i checked androot@SERVER.LAN exists in the list. ...

gss-server: Key table entry not found
Hi, I cannot get gss-server worked. I have tried adding (using addprinc and ktadd) different combinations of name/host (klist -k confirms the successful addition) but still getting the same error: key table entry not found. Can you please tell me what entry it is looking for and how to resolve the problem? If you need any information about my system in order to help, kindly let me know. Thanks in advance. Regards, David. ...

Key table entry not found-this time with Heimdal
Hello, this is the same setup like in my previous post from this month,but this time I'm using heimdal-clients.I have removed all of the MIT packages that I have installed: krb5-user,krb5-clients. I have Virtual Network configured to use Kerberos authentication.The setup is as follows: Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com; Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com; Windows XP Prof. (client) (FQDN) zdravko.lab.com; [Windows Server 2008 Settings] They are in the DNS lookup zone.I create one test user account for accessing the client machine under given domain(lab.com).The user name is "zdravko1" and its password never expires,and it's not going to be prompted for changing.After that I create one "dummy" user which will be used for SPN(service principal name mapping to it).It's called "http" and the same flags are used as in "zdravko1": -User cannot change password; -Password never expires; -This account supports AES 256 bit encryption; I continued with creating the keytab file: c:\>ktpass /princ HTTP/debian.lab.com@LAB.COM <http://lab.com/> /mapuser http@LAB.COM /pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out http.keytab Keytab version: 0x502 keysize 78 HTTP/debian.lab.com@LAB.COM <http://lab.com/> ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x......) The keytab is successfully created and I have checke...

Server not found in Kerberos database while getting a service url ticket
hello, I have added to my kerberos database the following principal: "http://localhost:8080/axis/services/test" . (It' s in a url format instead of being in the format: service/host@REALM.) So, the thing is that I would like to acquire a service ticket for that principal. To request a service ticket I am using gss api and follow the next steps: class KrbClient{ main(){ ..... //I have acquired the credentials from the ticket cache .... PrincipalName serviceName = new PrincipalName("http://localhost:8080/axis/services/test"); // create the tgs_req to ask for service tickets sun.security.krb5.KrbTgsReq tgs_req = new sun.security.krb5.KrbTgsReq(credentials, serviceName); tgs_req.send(); // get tgs_rep KrbTgsRep tgs_rep = tgs_req.getReply(); } } and it gets the folllowing error: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235) at KrbClient.requestServiceTicket(KrbClient.java:142) at KrbClient.main(KrbClient.java:39) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50) ... 3 more >From the debugging of gss api: >>>KRBError: sTime is Mon ...

ssh gssapi-with-mic and "Key table entry not found"
Hi, I'm trying to get ssh working using gssapi-with-mic authentication. I have about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4 mounts with "krb5p" security. All these machines mount the same NFSv4 share (think home directories) so my users need to be able to forward their TGT around.) What I'm ultimately running into is sshd complaining "Key table entry not found" on *most* of the servers---a random handful work, and I can't figure out how the working ones are different. So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using gssapi-with-mic authentication. Here's the output of trying to ssh: [matt@lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications gssapi-with-mic" lnxsvr11 OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to lnxsvr11 [192.168.187.67] port 22. debug1: Connection established. debug1: identity file /mnt/home/matt/.ssh/identity type -1 debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1 debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version st...

Get all child table and key names of a parent table
select stab.tabname Parent, scol.colname Primary_key, sstab.tabname Child, sscol.colname Child_key from syscolumns scol, syscolumns sscol, sysindexes sind, sysindexes ssind, sysconstraints scon, sysconstraints sscon, systables stab, systables sstab, sysreferences sref where scol.tabid=sind.tabid and scol.colno = sind.part1 and sind.idxname=scon.idxname and stab.tabid=scon.tabid and sstab.tabid=sscon.tabid and sscol.tabid = ssind.tabid and (sscol.colno = ssind.part1 or sscol.colno = ssind.part2) and sscon.idxname=ssind.idxname and sref.constrid=sscon.constrid and stab.tabid=sref.ptabid and stab.tabname='ParentTableName' above query works gr8 when single column primary key in Parent table, but when there is two or morecolumn primary key it does not gives right ans. plz try to solve.. "Kuldeep" <kuldeepchitrakar@gmail.com> wrote in message news:1144752804.917120.279890@i39g2000cwa.googlegroups.com... > select stab.tabname Parent, > scol.colname Primary_key, > sstab.tabname Child, > sscol.colname Child_key > from syscolumns scol, > syscolumns sscol, > sysindexes sind, > sysindexes ssind, > sysconstraints scon, > sysconstraints sscon, > systables stab, > systables sstab, > sysreferen...

getting some key in a hash table
Is there any way to get some key of a hash table? I do not care which one I get, any one will do. The function maphash will map a function over ALL the key/value pairs of the hash table, but i only one to get one element. I could build some sort of catch/throw around a maphash but that seems a bit excessive. -jim On Sat, 17 Jul 2004 21:58:36 +0200, Jim Newton <jimka@rdrop.com> wrote: >Is there any way to get some key of a hash table? >I do not care which one I get, any one will do. > >The function maphash will map a function over ALL >the key/value pairs of the hash ...

Problem in get ticket from Kerberos
Hello I have problem for get tickets from kerberos in my Centos 5.2, when I type this command /usr/local/kerberos/bin/kinit admin@LABCOM.UNASP Show this message kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP while getting initial credentials I don=B4t understand why this message !!! My DNS is work , I can resolve th= e domain (LABCOM.UNASP) nslookup labcom.unasp Server: 192.168.4.66 Address: 192.168.4.66#53 Name: labcom.unasp Address: 192.168.4.2 My DNS server is on Windows 2003 Server , this command kinit was tested fro= m the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow = I paste kr5b.conf [libdefaults] # determines your default realm name default_realm =3D LABCOM.UNASP default_tgs_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5 kdc_timesync =3D 1 ccache_type =3D 4 forwardable =3D true proxiable =3D true [realms] LABCOM.UNASP =3D { # specifies where the servers are and on # which ports they listen (88 and 749 are # the standard ports) kdc =3D kdc.AmbLivre:88 admin_server =3D kdc.AmbLivre:749 default_domain =3D labcom.unasp } [domain_realm] # maps your DNS domain name to your Kerberos # realm name .labcom.unasp =3D LABCOM.UNASP labcom. =3D LABCOM.UNASP [kdc] p...

Re: getting some key in a hash table
Peter Seibel wrote: > Jim Newton <jimka@rdrop.com> writes: > > > Is there any way to get some key of a hash table? > > I do not care which one I get, any one will do. > > > > The function maphash will map a function over ALL the key/value > > pairs of the hash table, but i only one to get one element. I could > > build some sort of catch/throw around a maphash but that seems a bit > > excessive. > > And from the why-not-use-loop-for-everything dept.: > > (loop for key being the hash-keys in hash return key) > > Or if you want a random key: > > (loop with nth = (random (hash-table-count hash)) > for key being the hash-keys in hash > for i from 0 > when (= i nth) return key) Racket: > (hash 'a 1 'b 2 'c 3 'd 4) '#hash((c . 3) (b . 2) (a . 1) (d . 4)) > (hash-keys (hash 'a 1 'b 2 'c 3 'd 4)) '(c b a d) EMACS Lisp: (require 'cl) (block nil (maphash (lambda (k v) (return k)) #s(hash-table data (a 1 b 2 c 3 d 4)))) ...

BUG #1055: no keys in inherited table with primary key when inserting into inheriting table
The following bug has been logged online: Bug reference: 1055 Logged by: Agri Email address: agri@desnol.ru PostgreSQL version: 7.4 Operating system: PC-linux-gnu Description: no keys in inherited table with primary key when inserting into inheriting table Details: let me desribe a bug in the term of sql commands: create table first (id int primary key ); create table second (f2 int) inherits (first); create table third (ref_id int); alter table third add constraint third_ref_first foreign key (ref_id) references first; insert int...

Get the primary key name of a table
Hello there! Which SELECT statement do I need to execute to get the primary key name of a certain table? Robert Robert Wehofer wrote: > Hello there! > > Which SELECT statement do I need to execute to get the primary key name of a > certain table? > > Robert Goto http://tahiti.oracle.com and lookup description for user_constraints, all_constraints and dba_constraints. Regards /Rauf On Wed, 16 Mar 2005 16:09:52 +0000, Robert Wehofer wrote: > Hello there! > > Which SELECT statement do I need to execute to get the primary key name of a > certain table? > > Robert Go to the doc at http://docs.oracle.com or http://tahiti.oracle.com, dive into the version you need - these things can change based on version (although this one doesn't) - and pull up the REFERENCE manual. Take a gander at the ???_CONSTRAINTS and ???_CONS_COLUMNS views (??? is one of USER, ALL, or DBA depending on you privs). I'll let you figger the actual SELECT based on this. "Robert Wehofer" <thalion77@graffiti.net> wrote in message news:kTYZd.2086$zY6.461@news.chello.at... > Hello there! > > Which SELECT statement do I need to execute to get the primary key name of > a > certain table? Hi Robert you've asked a couple of data dictionary type questions now. I suggest that you have a look at the views named USER_XXX ALL_XXX DBA_XXX Which describe the data dictio...

Records Getting Deleted from Key Table
I have a database with a split front end/back end. There is a key table in the back end called Catalog, and it is sort of a central key table for all sorts of things. It's a list of all the jobs that have ever been worked on at our company. Records are getting lost out of this table, but I have no way of figuring out how they're being deleted. Records should NEVER be deleted out of this table. They can be marked as inactive, or something like that, but nowhere, in any code do I ever display this table for the users, and allow them edit access, and nowhere in the VB code I have wri...

not able to get correct initial ticket
hi, I am working with MIT kerberos 1.6.3 . I did kinit to get initial ticket with lifetime 2 hrs. So I used both H and small h for respresenting the lifetime hour value. In case of small h, it worked properply. [root@linux bin]# /usr/local/bin/kinit -l 2h admin/admin Password for admin/admin@MITREALM: [root@linux bin]# /usr/local/bin/klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@MITREALM Valid starting Expires Service principal 11/22/07 07:28:23 11/22/07 09:28:23 krbtgt/MITREALM@MITREALM Now when I used H , it didn't spit any error msg , but the ticket generated was not having lifetime 2 hours. [root@linux bin]# /usr/local/bin/kinit -l 2H admin/admin Password for admin/admin@MITREALM: [root@linux bin]# /usr/local/bin/klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@MITREALM Valid starting Expires Service principal 11/22/07 07:31:27 11/22/07 07:31:29 krbtgt/MITREALM@MITREALM what can be the problem ? Please suggest.. Thanks in advance --------------------------------- Get the freedom to save as many mails as you wish. Click here to know how. ...

Tying up Port Login table entries with Port Table Entries in CISCO SNMP
In a monitoring app I am writing I plan on using SNMP to obtain for each port on an MDS9000 CISCO switch the remote host WWN and remote port WWN, with the aim of producing a table as follows: Port Port Remote Remote No WWN Host WWN Port WWN 1 a.b.c d.e.f g.h.i 2 j.k.l - - <-- not connected 3 m.n.o p.q.r s.t.u ::::::::::::::::::::::::::::: I _thought_ this information could be obtained by referring to a couple of tables in CISCO-FC-FE-MIB: * The Port table, which is .1.3.6.1.4...

if instance variable get initialize after assigning some values or after constructor then when does static variable get initialize
if instance variable get initialize after assigning some values or after constructor then when does static variable get initialize public class A{ private int a; private int b=0; private Integer c; private Integer d=new Integer(2); public static int counter; private A(){ } } by looking at above code one can say that variable b,d get initialize by assignment operator variable a,c by constructor to default values i am not aware of how does variables get initialize i think 1] static variables without assignment 2] static variables with assignment 3] instance variables with assignment 4] ...

Why isn't table A always key-preserved if equijoined to the key of table B?
Hi, It seems to me table A should always be key-preserved if equijoined to the key of table B, but Oracle seems to disagree. Example: SQL> create table jvd_t1 (c1 number, c2 number,c3 number); Table created. SQL> create table jvd_t2 (d1 number, d2 number); Table created. SQL> alter table jvd_t2 add primary key (d1); Table altered. *********** the following update works: SQL> update (select t1.*,t2.* 2 from jvd_t1 t1,jvd_t2 t2 3 where c1 = d1 ) 4 set c2=d2; 0 rows updated. ******* but this update does not: SQL> update (select t1.*,t2.* 2 from jvd_t1 t1,jvd_...

Web resources about - kprop: Key table entry not found while getting initial ticket - comp.protocols.kerberos

Tiny Trump Supporter Burned Hard Live on CNN: "You're Sitting in a Booster Chair Right Now"
Racism, xenophobia, and jokes about killing political protestors are not funny, but sick-burning a Trump booster on national television because ...

iPhone SE: Apple Sends Out Invites For March 21 Event, New iPad Also Expected To Be Announced
After months of speculation and rumors, we now have confirmation about Apple’s launch event scheduled for later this month. The company is expected ...

Pixar and Bungie alum unveils Limitless, a virtual reality character creation platform
Limitless CEO Tom Sanocki demoing a VR experience created with his technology on the HTC Vive. You’re in an ancient, booby-trapped Peruvian ...

The Official Trailer for the Lonely Island Movie Popstar: Never Stop Never Stopping
The first official trailer for the Lonely Island movie Popstar: Never Stop Never Stopping shows the behind-the-scenes life of singer and rapper ...

World Go Champion Loses Another Match To Google’s AI
AlphaGo is artificial intelligence developed by Google’s DeepMind unit and it’s proving to be more powerful than we had expected before. The ...

Nick Wechsler To Co-Star In Fox Pilot ‘Recon’
Revenge alum Nick Wechsler has been cast as the male lead opposite Tracy Spiridakos in Recon , Fox's drama pilot executive produced by The Vampire ...

Lockdowns lifted at schools in Parkside; suspect in Philadelphia Police custody - 6abc.com
Lockdowns have been lifted at three Philadelphia schools after police found and arrested a male suspect they had been searching for.

What the new FCC Internet Privacy rules mean for you
On March 10th, 2016, the FCC proposed a set of broadband rules for consumer privacy across the United States. What we're looking at here is what ...

ECB takes rates deeper into negative territory
European Central Bank drops deposit rate to -0.4 percent and ups bond-buying to €80 billion a month.

Opera for Desktop adds native ad-blocking to developer channel
Opera has updated the developer channel of their desktop browser for Windows, Mac, and Linux to include a native ad blocker, designed to drastically ...

Resources last updated: 3/10/2016 3:12:33 PM