From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 26 18:08:56 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BF4B016A420
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Feb 2006 18:08:56 +0000 (GMT)
	(envelope-from jcw@highperformance.net)
Received: from mx1.highperformance.net (ip30.gte215.dsl-acs2.sea.iinet.com
	[209.20.215.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2ED2D43D4C
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Feb 2006 18:08:53 +0000 (GMT)
	(envelope-from jcw@highperformance.net)
Received: from [192.168.1.16] (w16.stradamotorsports.com [192.168.1.16])
	by mx1.highperformance.net (8.13.4/8.13.4) with ESMTP id k1QI8otU041645
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Feb 2006 10:08:50 -0800 (PST)
	(envelope-from jcw@highperformance.net)
Message-ID: <4401EEB5.40803@highperformance.net>
Date: Sun, 26 Feb 2006 10:08:53 -0800
From: "Jason C. Wells" <jcw@highperformance.net>
User-Agent: Thunderbird 1.5 (Windows/20051025)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Heimdal Key Table Entry Not Found
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2006 18:08:57 -0000

I am not able to use heimdal kerberos telnetd on FreeBSD-6 to provide 
remote access to a host.  I get this error from my Kermit client:

	Kerberos authentication failed!
	Kerberos V5 refuses authentication because
	Read req failed: Key table entry not found

The keytab has been extracted to the service host. (see below)

I am thinking that there might be some sort of hard to find 
incompatibility or encryption type issue with Heimdal and MIT.  That or 
there is some stupid detail that I have missed.  I would have expected 
Heimdal to be a "drop in" replacement for MIT kerberos.  A full 
transcript is provided below if the problem is not obvious.

I am successfully running MIT KDCs and have been for years.  All my 
other MIT kerberized hosts function correctly.

Any idea what I might be missing?

Thanks,
Jason C. Wells


	I get a ticket granting ticket as evidenced by the MIT KDC log:

Feb 26 09:40:56 s5.stradamotorsports.com krb5kdc[449](info): AS_REQ (3
etypes {1 6 3 1}) 192.168.1.16: ISSUE: authtime 1140975656, etypes
{rep=16 tkt=16 ses=16}, jcw@STRADAMOTORSPORTS.COM for
krbtgt/STRADAMOTORSPORTS.COM@STRADAMOTORSPORTS.COM

	Then I get my service ticket as evidenced by the MIT KDC log:

Feb 26 09:41:09 s5.stradamotorsports.com krb5kdc[449](info): TGS_REQ (1
etypes {1}) 192.168.1.16: ISSUE: authtime 1140975656, etypes {rep=16
tkt=16 ses=1}, jcw@STRADAMOTORSPORTS.COM for
host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM

	I have all my tickets on my Windows client.

C:\Documents and Settings\jcw>klist -e
Ticket cache: API:krb5cc
Default principal: jcw@STRADAMOTORSPORTS.COM

Valid starting     Expires            Service principal
02/26/06 09:40:56  02/26/06 19:40:56 
krbtgt/STRADAMOTORSPORTS.COM@STRADAMOTORSP
ORTS.COM
         renew until 02/26/06 19:40:57, Etype (skey, tkt): Triple DES 
cbc mode wi
th HMAC/sha1, Triple DES cbc mode with HMAC/sha1
02/26/06 09:41:09  02/26/06 19:40:56 
host/g3.stradamotorsports.com@STRADAMOTORS
PORTS.COM
         renew until 02/26/06 19:40:57, Etype (skey, tkt): DES cbc mode 
with CRC-
32, Triple DES cbc mode with HMAC/sha1


Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)

	But my kermit client complains with:

  DNS Lookup...  Trying 192.168.1.1...  Reverse DNS Lookup... (OK)
  g3.stradamotorsports.com connected on port telnet
Authenticating with KERBEROS_V5
Kerberos authentication failed!
Kerberos V5 refuses authentication because
Read req failed: Key table entry not found
/Can't connect to g3.stradamotorsports.com:23

	The keytab shows:

Vno  Type           Principal
  11  des3-cbc-sha1  host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
  11  des-cbc-crc    host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM

	Getprincs on the MIT KDC shows:

kadmin:  getprinc host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
Principal: host/g3.stradamotorsports.com@STRADAMOTORSPORTS.COM
Expiration date: [never]
Last password change: Sun Feb 26 09:08:57 PST 2006
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Feb 26 09:08:57 PST 2006 
(kerbmaster@STRADAMOTORSPORTS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 11, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 11, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]