[OpenAFS] Re: Cron Jobs for "Regular" Users

Andrew Deason adeason@sinenomine.net
Thu, 28 Jan 2010 09:44:07 -0600

On Thu, 28 Jan 2010 12:35:03 +0100
Holger Rauch <holger.rauch@empic.de> wrote:

> Hi Thomas,
> On Wed, 27 Jan 2010, Thomas Kula wrote:
> > [...] 
> > It very well could be. If the kvno (which is listed in the klist
> > output) doesn't match kvno in the database (what is displayed with
> > getprinc in kadmin) then you won't be able to authenticate with
> > that keytab. 
> I just did a "getprinc <princ_name>" and it told me that the user
> actually had *two* different (meaning different encryption types)
> keys. Does that imply I would also have to add *both* keys from within
> ktutil for the newly generated keytab file?

You should only need to match one of them, I think. Preferably the
strongest enc type the client supports.

> I created two different keytab files each having one of those keys.
> Nevertheless, I still got the same error:
> kinit(v5): Key table entry not found while getting initial credentials
> I should perhaps also point out that I have no default_tgs_enctypes
> and no default_tkt_enctypes options in my [libdefaults] section in my
> /etc/krb5.conf (on a Debian Lenny system with MIT Kerberos from Debian
> packages).

The example I gave was also on a lenny system, and it doesn't have
either of those options specified. Double-check "l -e" in ktutil and see
if it matches kadmin getprinc, and klist?

Andrew Deason