Date: Sun, 26 Feb 2006 14:26:53 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: Heimdal Key Table Entry Not Found Message-ID: <20060226202653.GH95501@seekingfire.com> In-Reply-To: <4401EEB5.40803@highperformance.net> References: <4401EEB5.40803@highperformance.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 26, 2006 at 10:08:53AM -0800, Jason C. Wells wrote: > I am not able to use heimdal kerberos telnetd on FreeBSD-6 to provide > remote access to a host. I get this error from my Kermit client: > > Kerberos authentication failed! > Kerberos V5 refuses authentication because > Read req failed: Key table entry not found > > The keytab has been extracted to the service host. (see below) > > I am thinking that there might be some sort of hard to find > incompatibility or encryption type issue with Heimdal and MIT. That or > there is some stupid detail that I have missed. I would have expected > Heimdal to be a "drop in" replacement for MIT kerberos. A full > transcript is provided below if the problem is not obvious. > > I am successfully running MIT KDCs and have been for years. All my > other MIT kerberized hosts function correctly. > > Any idea what I might be missing? http://www.seekingfire.com/projects/kerberos/tips.html It's very likely a name resolution problem: "All hosts in your realm must be resolvable (both forwards and reverse) in DNS (or /etc/hosts as a minimum). CNAMEs will work, but the A and PTR records must be correct and in place. The error message isn't very intuitive: "Kerberos V5 refuses authentication because Read req failed: Key table entry not found". This same error message can also result if you the [domain_realms] stanza in your krb5.conf and the host isn't in the right domain. For example, if you have a host server.example.org and your domain_realms section says that example.org = EXAMPLE.ORG but the host server is actually in realm OTHER.REALM, you'll get this error. You can override the realm for a specific host in the domain_realms section like so: server.example.org = OTHER.REALM." -T -- "Belief gets in the way of learning." -- Robert Heinlein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060226202653.GH95501>