[OpenAFS] Re: Cron Jobs for "Regular" Users
Thu, 28 Jan 2010 09:44:07 -0600
On Thu, 28 Jan 2010 12:35:03 +0100
Holger Rauch <firstname.lastname@example.org> wrote:
> Hi Thomas,
> On Wed, 27 Jan 2010, Thomas Kula wrote:
> > [...]
> > It very well could be. If the kvno (which is listed in the klist
> > output) doesn't match kvno in the database (what is displayed with
> > getprinc in kadmin) then you won't be able to authenticate with
> > that keytab.
> I just did a "getprinc <princ_name>" and it told me that the user
> actually had *two* different (meaning different encryption types)
> keys. Does that imply I would also have to add *both* keys from within
> ktutil for the newly generated keytab file?
You should only need to match one of them, I think. Preferably the
strongest enc type the client supports.
> I created two different keytab files each having one of those keys.
> Nevertheless, I still got the same error:
> kinit(v5): Key table entry not found while getting initial credentials
> I should perhaps also point out that I have no default_tgs_enctypes
> and no default_tkt_enctypes options in my [libdefaults] section in my
> /etc/krb5.conf (on a Debian Lenny system with MIT Kerberos from Debian
The example I gave was also on a lenny system, and it doesn't have
either of those options specified. Double-check "l -e" in ktutil and see
if it matches kadmin getprinc, and klist?