I have configured two CentOS machines to authenticate via kerberos and LDAP to Windows Server 2008 R2 Active Directory. I am now trying to do the same to a Solaris 10u9 (without upgrades to Kerberos or ldap) machine but am running into a problem -- active directory users cannot log in to the Solaris machine using ssh. Local users can log in fine. I can use kinit successfully and id works on active directory users. In /var/adm/messages I get this message every time I try to log in with an AD user (some information redacted):
Nov 3 16:31:03 hostname.f.q.d.n sshd[1024]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
However, the keytab is present and correct:
-bash-3.00$ ls -la /etc/krb5/krb5.keytab
-rwx------ 1 root root 422 Nov 3 15:33 /etc/krb5/krb5.keytab
-bash-3.00$ sudo klist -e -k /etc/krb5/krb5.keytab
Keytab name: WRFILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HOST/hostname.f.q.d.n@F.Q.D.N (DES cbc mode with CRC-32)
3 HOST/hostname.f.q.d.n@F.Q.D.N (DES cbc mode with RSA-MD5)
3 HOST/hostname.f.q.d.n@F.Q.D.N (ArcFour with HMAC/md5)
3 HOST/hostname.f.q.d.n@F.Q.D.N (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 HOST/hostname.f.q.d.n@F.Q.D.N (AES-128 CTS mode with 96-bit SHA-1 HMAC)
-bash-3.00$
My hostname and domainname are also correct:
-bash-3.00$ hostname
hostname.f.q.d.n
-bash-3.00$ cat /etc/nodename
hostname.f.q.d.n
-bash-3.00$ domainname
f.q.d.n
-bash-3.00$ cat /etc/defaultdomain
f.q.d.n
All instances of f.q.d.n are equal. Same applies to F.Q.D.N and hostname.f.q.d.n. Any ideas why I am getting this message?
The same error occurs when a non-root user attempts to su <AD-user> on the machine.
