Search code examples
kerberosspnegoenctypemit-kerberos

kinit: krb5_init_creds_set_keytab: Failed to find keytab (unknown enctype)

So as to enable access to Kerberized Hadoop from a MacBook, tried creating SPNEGO. Post copying the spnego keytab from KDC in Centos 7, doing a kinit failed with the following error:

$kinit -kt /etc/security/keytabs/spnego.service.keytab [email protected]

kinit: krb5_init_creds_set_keytab: Failed to find [email protected] in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)

On Centos checked for the enctype using the following:

[root@vpimply1 ~]# klist -kte /etc/security/keytabs/smokeuser.headless.keytab
Keytab name: FILE:/etc/security/keytabs/smokeuser.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 11/27/2018 21:48:00 [email protected] (des-cbc-md5)
   2 11/27/2018 21:48:00 [email protected] (aes128-cts-hmac-sha1-96)
   2 11/27/2018 21:48:00 [email protected] (arcfour-hmac)
   2 11/27/2018 21:48:00 [email protected] (des3-cbc-sha1)
   2 11/27/2018 21:48:00 [email protected] (aes256-cts-hmac-sha1-96)
[root@vpimply1 ~]#

Tried creating the keytabs with specific enctype, but still hit up on the same error.

How to fix this "enctype" issue?

Solution

  • After some struggle, I had set the KRB5 Tracing as follows in Macbook:

    KRB5_TRACE=/dev/stdout

    Post setting this, I could clearly see that the permissions on keytab wasn't correct. 

    $ kinit -t /etc/security/keytabs/smokeuser.headless.keytab [email protected]
2018-11-29T11:17:29 set-error: -1765328242: Reached end of credential caches
2018-11-29T11:17:29 set-error: -1765328243: Principal [email protected] not found in any credential cache
2018-11-29T11:17:29 set-error: 13: keytab /etc/security/keytabs/smokeuser.headless.keytab access failed: Permission denied
2018-11-29T11:17:29 set-error: 13: Failed to find [email protected] in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
kinit: krb5_init_creds_set_keytab: Failed to find [email protected] in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)

$ ls -alrt /etc/security/keytabs
total 24
-r--r-----  1 root                wheel  338 Nov 28 13:19 smokeuser.headless.keytab
drwxr-xr-x  5 root                wheel  160 Nov 28 17:16 .

    After fixing the permissions to match the currently logged in user, the kinit worked fine! It wasn't anything to do with 'enctype'. Also recent MACOs doesn't need any packages to be installed - not even MIT Kerberos for the client to work good.