on 11-12-2010 12:35 PM
Hi all,
we have some strange behavior with kinit.
we have a windows dc and trying to get the ticket from it.
we generated the keyfile as described in the document from realtech.
ktutil looks like this:
ktutil: rkt /etc/krb5.keytab
ktutil: l -e
slot KVNO Principal
-
-
-
1 4 SAPService/icosap17.implico.de(at)ads.implico.de (DES cbc mode with RSA-MD5)
but when we try to get a ticket:
/usr/bin/kinit -k SAPService/icosap17.implico.de @ ADS.IMPLICO.DE
we get following error
kinit(v5): Key table entry not found while getting initial credentials
but whe i manually request the ticket:
icosap17:~ # /usr/bin/kinit -V SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
Password for SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE:
and after entered the password:
Authenticated to Kerberos v5
anyone an idea why i can't request the ticket without entering the password ?
kind regards
Bjoern
1) Make sure your sap user can read the keytab file, change it's group ownership to sapsys and make sure you can read it as <sid>adm.
2)
icosap17:~ # /usr/bin/kinit -V SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
Try specifying the location of the keytab file with '-t' if it asks you for a password, it's possible the default location for your implementation is not in /etc/krb5.keytab
...and read the man pages if you don't understand what the command does.
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nelis,
the keytab is readable:
-rw-r----- 1 root sapsys 78 2010-10-25 10:05 /etc/krb5.keytab
if i try with keyfile i get the same errors
icosap17:o7xadm 55> /usr/bin/kinit -t /etc/krb5.keytab
Password for SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE:
or
icosap17:o7xadm 56> /usr/bin/kinit -t /etc/krb5.keytab SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
Password for SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE:
and with -k
icosap17:o7xadm 57> /usr/bin/kinit -k -t /etc/krb5.keytab SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
kinit(v5): Key table entry not found while getting initial credentials
any ideas ?
Bjoern
The only other thing I can think of is possibly the following:
1 4 SAPService/icosap17.implico.de(at)ads.implico.de (DES cbc mode with RSA-MD5)
You have exported the keytab using small letters for your domain which is CASE SENSITIVE. It should show as @ ADS.IMPLICO.DE in ktutil like you use it in kinit. Which might explain why it can't "see it".
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.