[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: krb5_verify_user requires single-DES host key in keytab?
29 jul 2007 kl. 01.59 skrev Thor Lancelot Simon:
> I'm using the Heimdal integrated into NetBSD 4.0_BETA2 (I believe this
> is from the 0.7 branch of Heimdal).
> I have no principals in my database with any single-DES keys, though
> kadmin and ktutil don't exactly make this easy. The keytabs on my
> have only 3des keys for host/host.domain@REALM.
Setting the following in krb5.conf on the kdc
default_keys = des3-cbc-sha1:pw-salt
and doing a
ktutil get -p tls/admin get host/`hostname`
doesn't make you happy ?
> When I try to use an application like sudo 1.6.9 that calls
> to check a user's password, it gets the TGT for the user, but then
> to find the service key for the host in the keytab, with an error like
> sudo: kerb5: host service key not found: Unknown error -1765328203
> Jul 28 23:56:46 hostname sudo: tls : kerb5: host service key
> not found:
> Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
> sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error
> Sorry, try again.
> Is this expected? Can I patch krb5_verify_user to fix it? I can't
> out what that error code actually is.
/usr/heimdal/include/krb5_err.h: KRB5_KT_NOTFOUND = -1765328203,
I think you database mismatch with your keytab.