Date: Sun, 26 Feb 2006 10:08:53 -0800 From: "Jason C. Wells" <jcw@highperformance.net> To: freebsd-questions@freebsd.org Subject: Heimdal Key Table Entry Not Found Message-ID: <4401EEB5.40803@highperformance.net>
next in thread | raw e-mail | index | archive | help
I am not able to use heimdal kerberos telnetd on FreeBSD-6 to provide
remote access to a host. I get this error from my Kermit client:
Kerberos authentication failed!
Kerberos V5 refuses authentication because
Read req failed: Key table entry not found
The keytab has been extracted to the service host. (see below)
I am thinking that there might be some sort of hard to find
incompatibility or encryption type issue with Heimdal and MIT. That or
there is some stupid detail that I have missed. I would have expected
Heimdal to be a "drop in" replacement for MIT kerberos. A full
transcript is provided below if the problem is not obvious.
I am successfully running MIT KDCs and have been for years. All my
other MIT kerberized hosts function correctly.
Any idea what I might be missing?
Thanks,
Jason C. Wells
I get a ticket granting ticket as evidenced by the MIT KDC log:
Feb 26 09:40:56 s5.stradamotorsports.com krb5kdc[449](info): AS_REQ (3
etypes {1 6 3 1}) 192.168.1.16: ISSUE: authtime 1140975656, etypes
{rep=16 tkt=16 ses=16}, jcw@STRADAMOTORSPORTS.COM for
krbtgt/STRADAMOTORSPORTS.COM@STRADAMOTORSPORTS.COM
Then I get my service ticket as evidenced by the MIT KDC log:
Feb 26 09:41:09 s5.stradamotorsports.com krb5kdc[449](info): TGS_REQ (1
etypes {1}) 192.168.1.16: ISSUE: authtime 1140975656, etypes {rep=16
tkt=16 ses=1}, jcw@STRADAMOTORSPORTS.COM for
host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
I have all my tickets on my Windows client.
C:\Documents and Settings\jcw>klist -e
Ticket cache: API:krb5cc
Default principal: jcw@STRADAMOTORSPORTS.COM
Valid starting Expires Service principal
02/26/06 09:40:56 02/26/06 19:40:56
krbtgt/STRADAMOTORSPORTS.COM@STRADAMOTORSP
ORTS.COM
renew until 02/26/06 19:40:57, Etype (skey, tkt): Triple DES
cbc mode wi
th HMAC/sha1, Triple DES cbc mode with HMAC/sha1
02/26/06 09:41:09 02/26/06 19:40:56
host/g3.stradamotorsports.com@STRADAMOTORS
PORTS.COM
renew until 02/26/06 19:40:57, Etype (skey, tkt): DES cbc mode
with CRC-
32, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
But my kermit client complains with:
DNS Lookup... Trying 192.168.1.1... Reverse DNS Lookup... (OK)
g3.stradamotorsports.com connected on port telnet
Authenticating with KERBEROS_V5
Kerberos authentication failed!
Kerberos V5 refuses authentication because
Read req failed: Key table entry not found
/Can't connect to g3.stradamotorsports.com:23
The keytab shows:
Vno Type Principal
11 des3-cbc-sha1 host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
11 des-cbc-crc host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
Getprincs on the MIT KDC shows:
kadmin: getprinc host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
Principal: host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
Expiration date: [never]
Last password change: Sun Feb 26 09:08:57 PST 2006
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Feb 26 09:08:57 PST 2006
(kerbmaster@STRADAMOTORSPORTS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 11, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 11, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4401EEB5.40803>