Heimdal Key Table Entry Not Found

Jason C. Wells jcw at highperformance.net
Sun Feb 26 10:08:57 PST 2006 

I am not able to use heimdal kerberos telnetd on FreeBSD-6 to provide 
remote access to a host.  I get this error from my Kermit client:

	Kerberos authentication failed!
	Kerberos V5 refuses authentication because
	Read req failed: Key table entry not found

The keytab has been extracted to the service host. (see below)

I am thinking that there might be some sort of hard to find 
incompatibility or encryption type issue with Heimdal and MIT.  That or 
there is some stupid detail that I have missed.  I would have expected 
Heimdal to be a "drop in" replacement for MIT kerberos.  A full 
transcript is provided below if the problem is not obvious.

I am successfully running MIT KDCs and have been for years.  All my 
other MIT kerberized hosts function correctly.

Any idea what I might be missing?

Thanks,
Jason C. Wells


	I get a ticket granting ticket as evidenced by the MIT KDC log:

Feb 26 09:40:56 s5.stradamotorsports.com krb5kdc[449](info): AS_REQ (3
etypes {1 6 3 1}) 192.168.1.16: ISSUE: authtime 1140975656, etypes
{rep=16 tkt=16 ses=16}, jcw at STRADAMOTORSPORTS.COM for
krbtgt/STRADAMOTORSPORTS.COM at STRADAMOTORSPORTS.COM

	Then I get my service ticket as evidenced by the MIT KDC log:

Feb 26 09:41:09 s5.stradamotorsports.com krb5kdc[449](info): TGS_REQ (1
etypes {1}) 192.168.1.16: ISSUE: authtime 1140975656, etypes {rep=16
tkt=16 ses=1}, jcw at STRADAMOTORSPORTS.COM for
host/g3.stradamotorsports.com at STRADAMOTORSPORTS.COM

	I have all my tickets on my Windows client.

C:\Documents and Settings\jcw>klist -e
Ticket cache: API:krb5cc
Default principal: jcw at STRADAMOTORSPORTS.COM

Valid starting     Expires            Service principal
02/26/06 09:40:56  02/26/06 19:40:56 
krbtgt/STRADAMOTORSPORTS.COM at STRADAMOTORSP
ORTS.COM
         renew until 02/26/06 19:40:57, Etype (skey, tkt): Triple DES 
cbc mode wi
th HMAC/sha1, Triple DES cbc mode with HMAC/sha1
02/26/06 09:41:09  02/26/06 19:40:56 
host/g3.stradamotorsports.com at STRADAMOTORS
PORTS.COM
         renew until 02/26/06 19:40:57, Etype (skey, tkt): DES cbc mode 
with CRC-
32, Triple DES cbc mode with HMAC/sha1


Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)

	But my kermit client complains with:

  DNS Lookup...  Trying 192.168.1.1...  Reverse DNS Lookup... (OK)
  g3.stradamotorsports.com connected on port telnet
Authenticating with KERBEROS_V5
Kerberos authentication failed!
Kerberos V5 refuses authentication because
Read req failed: Key table entry not found
/Can't connect to g3.stradamotorsports.com:23

	The keytab shows:

Vno  Type           Principal
  11  des3-cbc-sha1  host/g3.stradamotorsports.com at STRADAMOTORSPORTS.COM
  11  des-cbc-crc    host/g3.stradamotorsports.com at STRADAMOTORSPORTS.COM

	Getprincs on the MIT KDC shows:

kadmin:  getprinc host/g3.stradamotorsports.com at STRADAMOTORSPORTS.COM
Principal: host/g3.stradamotorsports.com at STRADAMOTORSPORTS.COM
Expiration date: [never]
Last password change: Sun Feb 26 09:08:57 PST 2006
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Feb 26 09:08:57 PST 2006 
(kerbmaster at STRADAMOTORSPORTS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 11, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 11, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

More information about the freebsd-questions mailing list