为什么我会收到 kerberos 错误“无法解密 AP-REQ 票证”？

我正在尝试通过 SASL + OpenLDAP 转移saslauthd到 AD凯尔伯罗斯。我启动了调试模式，当我尝试访问 LDAP 帐户saslauthd时，在跟踪日志中收到以下错误：suuser101

[12450] 1605731046.958412: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/[email protected]

我可以发出kinit，并且没有关于密钥表条目的投诉。我是saslauthd这样启动的：

export KRB5_KTNAME="/etc/windows.keytab" KRB5_TRACE="/tmp/krb5_trace.log" SOCKETDIR="/var/run/saslauthd" MECHANISMS="kerberos5" ; /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 -d

知道为什么saslauthd找不到密钥表条目但kinit可以找到吗？我遇到了一些关于rc4-hmac已被弃用，当我将其从 krb5.conf 中允许的 enctypes 列表中删除时，我收到一个错误，KDC 不支持加密类型。不确定这是否与密钥表条目的原始错误有关。以下是来自命令行和跟踪文件以及 krb5.conf 的一些信息：

keytab princ 与跟踪文件中要求的内容相匹配：

# kinit -k -t /etc/windows.keytab

# klist -kte
Keytab name: FILE:/etc/windows.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 12/31/1969 18:00:00 host/[email protected] (aes256-cts-hmac-sha1-96) 

跟踪文件片段：

...
[12450] 1605731046.950617: Sending TCP request to stream xxx.xxx.xxx.17:88
[12450] 1605731046.958060: Received answer (1956 bytes) from stream xxx.xxx.xxx.17:88
[12450] 1605731046.958074: Terminating TCP connection to stream xxx.xxx.xxx.17:88
[12450] 1605731046.958131: Response was not from master KDC
[12450] 1605731046.958148: Decoding FAST response
[12450] 1605731046.958196: FAST reply key: aes256-cts/0E58
[12450] 1605731046.958223: TGS reply is for [email protected] -> host/[email protected] with session key rc4-hmac/ED4E
[12450] 1605731046.958261: TGS request result: 0/Success
[12450] 1605731046.958270: Received creds for desired service host/[email protected]
[12450] 1605731046.958277: Storing [email protected] -> host/[email protected] in MEMORY:0
[12450] 1605731046.958301: Creating authenticator for [email protected] -> host/[email protected], seqnum 0, subkey (null), session key rc4-hmac/ED4E
[12450] 1605731046.958402: Retrieving host/[email protected] from FILE:/etc/windows.keytab (vno 3, enctype rc4-hmac) with result: -1765328203/No key table entry found for host/[email protected]
[12450] 1605731046.958412: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/[email protected]
[12450] 1605731046.958465: Destroying ccache MEMORY:0

krb5配置文件

[libdefaults]
   default_realm = MY.REALM.KRB

   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   permitted_enctypes   = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

   rdns=false
   dns_lookup_realm = false
   dns_lookup_kdc   = false

[realms]
   MY.REALM.KRB = {
                    kdc          = my.realm.krb
                   admin_server = my.realm.krb
                  }

[domain_realm]
   .my.realm.krb = MY.REALM.KRB
   my.realm.krb  = MY.REALM.KRB