Why am I getting the kerberos error "Failed to decrypt AP-REQ ticket"?

Question

I'm trying to get SASL + OpenLDAP working over saslauthd to AD via kerberos. I've fired up saslauthd in debug mode and getting the error below in the trace log when I try to su to the LDAP account user101:

[12450] 1605731046.958412: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/ldap-krb-test.mycorp.net@MY.REALM.KRB

I can issue kinit and there are no complaints about the key table entry. I've launched saslauthd this way:

export KRB5_KTNAME="/etc/windows.keytab" KRB5_TRACE="/tmp/krb5_trace.log" SOCKETDIR="/var/run/saslauthd" MECHANISMS="kerberos5" ; /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 -d

Any idea why saslauthd isn't able to find the key table entry but kinit does? I've run across some info about rc4-hmac being deprecated and when I remove that from the list of the allowed enctypes in krb5.conf, I get an error that the KDC has no support for encryption type. Not sure if that's related to the original error about the key table entry though. Below is some info from the command line and the trace file and krb5.conf:

keytab princ matches what's being asked for in the trace file:

# kinit -k -t /etc/windows.keytab

# klist -kte
Keytab name: FILE:/etc/windows.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 12/31/1969 18:00:00 host/ldap-krb-test.mycorp.net@MY.REALM.KRB (aes256-cts-hmac-sha1-96) 

Trace file snippet:

...
[12450] 1605731046.950617: Sending TCP request to stream xxx.xxx.xxx.17:88
[12450] 1605731046.958060: Received answer (1956 bytes) from stream xxx.xxx.xxx.17:88
[12450] 1605731046.958074: Terminating TCP connection to stream xxx.xxx.xxx.17:88
[12450] 1605731046.958131: Response was not from master KDC
[12450] 1605731046.958148: Decoding FAST response
[12450] 1605731046.958196: FAST reply key: aes256-cts/0E58
[12450] 1605731046.958223: TGS reply is for user101@MY.REALM.KRB -> host/ldap-krb-test.mycorp.net@MY.REALM.KRB with session key rc4-hmac/ED4E
[12450] 1605731046.958261: TGS request result: 0/Success
[12450] 1605731046.958270: Received creds for desired service host/ldap-krb-test.mycorp.net@MY.REALM.KRB
[12450] 1605731046.958277: Storing user101@MY.REALM.KRB -> host/ldap-krb-test.mycorp.net@MY.REALM.KRB in MEMORY:0
[12450] 1605731046.958301: Creating authenticator for user101@MY.REALM.KRB -> host/ldap-krb-test.mycorp.net@MY.REALM.KRB, seqnum 0, subkey (null), session key rc4-hmac/ED4E
[12450] 1605731046.958402: Retrieving host/ldap-krb-test.mycorp.net@MY.REALM.KRB from FILE:/etc/windows.keytab (vno 3, enctype rc4-hmac) with result: -1765328203/No key table entry found for host/ldap-krb-test.mycorp.net@MY.REALM.KRB
[12450] 1605731046.958412: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/ldap-krb-test.mycorp.net@MY.REALM.KRB
[12450] 1605731046.958465: Destroying ccache MEMORY:0

krb5.conf

[libdefaults]
   default_realm = MY.REALM.KRB

   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   permitted_enctypes   = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

   rdns=false
   dns_lookup_realm = false
   dns_lookup_kdc   = false

[realms]
   MY.REALM.KRB = {
                    kdc          = my.realm.krb
                   admin_server = my.realm.krb
                  }

[domain_realm]
   .my.realm.krb = MY.REALM.KRB
   my.realm.krb  = MY.REALM.KRB

Answer 1

Just in case it helps someone else, I needed the AD checkbox toggled for This account supports kerberos AES... on for the Service account. Everything worked after that: