1

I am seeing the following error when inspecting a newly created keytab:

[rxie@cedgedev02 ~]$ klist rxie.keytab klist: Bad format in credentials cache (filename: rxie.keytab)

[rxie@cedgedev02 ~]$ kinit -kt rxie.keytab kinit: Cannot determine realm for host (principal host/cedgedev02.company.com@)

Note I replaced the company's name here.

The keytab was created with a customized python file which wraps the actual ktutil commands below:

addent -password -p rxie@COMPANY.COM -k 1 -e rc4-hmac
addent -password -p rxie@COMPANY.COM -k 1 -e aes256-cts

Can any one share your thought on where/what is missing here? Thank you very much.

Choix
  • 555
  • 1
  • 12
  • 28
  • RTFM: to inspect a keytab file, instead of a credentials cache, `klist -k dummy.keytab -e` – Samson Scharfrichter Aug 10 '18 at 19:28
  • RTFM: a keytab may contain passwords for multiple users, hence `kinit` does not "guess" the UPN > `kinit -kt rxie.keytab rxie@COMPANY.COM` – Samson Scharfrichter Aug 10 '18 at 19:31
  • RTF MIT Kerberos M: you need to enter a whole lot of params in `/etc/krb5.conf` including the default realm, the mapping rules from domain and/or server names to realms, possibly the cross-realm trust relationships, etc etc – Samson Scharfrichter Aug 10 '18 at 19:35
  • Also, you need a tight DNS config with consistent forward and reverse lookups; and always use _canonical_ DNS names (not aliases -- and no proxy or load balancer in between) ideally case-sensitive... – Samson Scharfrichter Aug 10 '18 at 19:39
  • Thank you, would you please put your comment together into an answer? I will accept it. – Choix Aug 13 '18 at 02:05

1 Answers1

2

The working command is:

kinit -kt rxie.keytab rxie
Choix
  • 555
  • 1
  • 12
  • 28