From owner-freebsd-questions@FreeBSD.ORG Sun Feb 26 20:26:55 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBCFE16A420 for ; Sun, 26 Feb 2006 20:26:55 +0000 (GMT) (envelope-from tillman@seekingfire.com) Received: from mail.seekingfire.com (caliban.seekingfire.com [24.89.83.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56A3243D45 for ; Sun, 26 Feb 2006 20:26:54 +0000 (GMT) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 1680CE1; Sun, 26 Feb 2006 14:26:54 -0600 (CST) Date: Sun, 26 Feb 2006 14:26:53 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20060226202653.GH95501@seekingfire.com> References: <4401EEB5.40803@highperformance.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4401EEB5.40803@highperformance.net> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does User-Agent: Mutt/1.5.11 Subject: Re: Heimdal Key Table Entry Not Found X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2006 20:26:55 -0000 On Sun, Feb 26, 2006 at 10:08:53AM -0800, Jason C. Wells wrote: > I am not able to use heimdal kerberos telnetd on FreeBSD-6 to provide > remote access to a host. I get this error from my Kermit client: > > Kerberos authentication failed! > Kerberos V5 refuses authentication because > Read req failed: Key table entry not found > > The keytab has been extracted to the service host. (see below) > > I am thinking that there might be some sort of hard to find > incompatibility or encryption type issue with Heimdal and MIT. That or > there is some stupid detail that I have missed. I would have expected > Heimdal to be a "drop in" replacement for MIT kerberos. A full > transcript is provided below if the problem is not obvious. > > I am successfully running MIT KDCs and have been for years. All my > other MIT kerberized hosts function correctly. > > Any idea what I might be missing? http://www.seekingfire.com/projects/kerberos/tips.html It's very likely a name resolution problem: "All hosts in your realm must be resolvable (both forwards and reverse) in DNS (or /etc/hosts as a minimum). CNAMEs will work, but the A and PTR records must be correct and in place. The error message isn't very intuitive: "Kerberos V5 refuses authentication because Read req failed: Key table entry not found". This same error message can also result if you the [domain_realms] stanza in your krb5.conf and the host isn't in the right domain. For example, if you have a host server.example.org and your domain_realms section says that example.org = EXAMPLE.ORG but the host server is actually in realm OTHER.REALM, you'll get this error. You can override the realm for a specific host in the domain_realms section like so: server.example.org = OTHER.REALM." -T -- "Belief gets in the way of learning." -- Robert Heinlein