Keytab not spawning?

[Tom Bridge]

So, a month ago I set up our fileserver with a fresh copy of 10.3 Server, before our internal DNS was spun up. As an unintentional consequence of being a n00b, the KDC didn’t get started when I set everything up.

Now that DNS is working, I thought, hey, let’s get that KDC spun up so I can replicate to all my daughter sites and get my OD groove on.

Not so fast, sayeth my server.

I followed the instructions from the article on this site for spinning up the KDC (https://www.afp548.com/articles/Panther/kerberos2.html)

But it’s not generating a krb5.keytab file…

I’ve tried creating a blank krb5.keytab in /etc/, I’ve tried wiping our /var/db/krb5kdc before I begin, I’ve tried wiping out /Library/Preferences/edu.mit.Kerberos.

Nothing seems to work.

Weird part? Kinit works just fine, and I can get a principle, but when I try klist -kt I get:

cirrus:/etc tbridge$ klist -kt
Keytab name: FILE:/etc/krb5.keytab
klist: No such file or directory while starting scan of keytab (null)

Any thoughts?

[bustthis]

try sudo klist -kt

[honestpuck]

Let’s look at some assumptions as to how you did things.

I assume you’ve got the edu.mit.Kerberos file back in place. I assume you have a running and checked LDAP server with a number of users in it. I assume you either put sudo in front of all your commands or did an sudo -s first to get a root shell. I assume you blew away /var/db/krb5kdc and then ran kerberosautoconfig and kdcsetup with some fairly sane parameters.

At that point (still while root) do a ‘kinit username’ and get a ticket. Then try a ‘klist’ on it’s own – which should list your ticket.

Then if all that’s a go try ‘sftp [email protected]’ and you should log on without a password. (I expect this to break if the problem your reporting is there)

Once you get that far a ‘klist -kt’ should list your host principals.

Seeing where those steps broke will give a better idea of where you’re breaking. At that point a good look at http://web.mit.edu/kerberos/www/ might suffice to solve your problem. Otherwise repost telling us where you broke and what worked and what didn’t will allow a better idea of what might fix it.

My first suggestion would be to take the Swiss Army Knife out of the toolbox and do ‘sudo kadmin.local’ then from the kadmin prompt :

listprincs (which should report a list of principals)

then

ktadd -glob *

which should add all the required keys to your keytab. This step failing would not be surprising but the error it reports would probably be informative. (A ‘man kadmin’ will tell you all about this neat little shell)

Oh, and bustthis, tbridge is reporting the wrong sort of error for not running klist with sudo as his only problem. He would have got a ‘Permission denied’ rather than ‘No such file or directory’ if that was the case.

(I’m spending way too much time hip deep in Kerberos – I’m trying to get a 10.3 client machine to authorise against my 10.3 server box, now that’s what I call fun.)

Tony

[bustthis]

i should of explained myself better in that post 🙂

i was getting the same error:
klist: No such file or directory while starting scan of keytab (null)

this seemed to always occur when i ran klist -kt from a remote session with the server as root. if i ran sudo klist -kt on the server directly it would report the proper keytab settings. i’m not sure if that makes sense…

[bones]

hello! I have the exact same issue. Did you manage to solve it? I am not very hopeful as this is such an old post, but if anyone has any info on this problem could they let me know!

I had this krb5.keytab not found issue when trying to run klist -kt. I also was able to get tickets with no problem, but then when trying to ssh it still asked for a pw.
I tried the ktadd -glob * command as suggest by honestpuck and this populated my keytab with no errors. This keytab does not look like the one at https://www.afp548.com/Articles/Panther/kerberos2.html however, and my issue of ssh asking for a pw still exsists.

I am running 10.3 server, with dns setup correctly (but only after opend was set up and therefore why im trying to had crank kerberos).

I hope that is enough info, thanks in advance

bones

[Author]

Posts