nfs keytab trouble.

Mark Hannessen msh104 at xs4all.nl
Sun May 2 08:05:55 EDT 2004


Hi

I am pretty new to the kerberos world and ran into some trouble trying to get 
kerbolized nfs up and running.

my current status.

I have krb5kdc and kadmind running fine. 
This is how my krb5.conf looks live on my server and my client.
(but I removed the "profile = /kerberos/etc/krb5kdc/kdc.conf" line on the 
clients)

[logging]
    kdc = FILE:/kerberos/var/log/krb5kdc.log
    admin_server = FILE:/kerberos/var/log/kadmin.log
    default = FILE:/kerberos/var/log/krb5lib.log

[libdefaults]
    ticket_lifetime = 24000
    default_realm = linuxnet.nl
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    dns_lookup_kdc = true
    dns_lookup_realm = true

[realms]
    linuxnet.nl = {
        kdc = kerberos.linuxnet.nl:88
        admin_server = kerberos.linuxnet.nl:749
        default_domain = linuxnet.nl
    }

[domain_realm]
    .linuxnet.nl = linuxnet.nl
    linuxnet.nl = linuxnet.nl

[kdc]
    profile = /kerberos/etc/krb5kdc/kdc.conf

[appdefaults]
    pam = {
       krb4_convert = false
    }
    kinit = {
       forwardable = true
       renewable = true
    }

on my server I also have a kdc.conf file containing the following.

[kdcdefaults]
    acl_file = /kerberos/etc/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab

[realms]
    linuxnet.nl = {
        database_name = /kerberos/etc/krb5kdc/principal
        admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
        acl_file = /kerberos/etc/krb5kdc/kadm5.acl
        dict_file = /kerberos/etc/krb5kdc/kadm5.dict
        key_stash_file = /kerberos/etc/krb5kdc/.k5.linuxnet.nl
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    }

I am currently able to log into kadmin and kinit on both server and client.
So far, so good.

I then try to start nfsv4 using the following daemons and configs.
rpc.mountd: seems to work fine
rpc.idmapd: seems to work fine as well, uses the following config file

[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = linuxnet.nl

[Mapping]
Nobody-User = nfsnb
Nobody-Group = nfsnb

but rpc.svcgssd -f outputs the following errors.

ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - No 
principal in keytab matches desired name
unable to obtain root (machine) credentials
do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> 
in /etc/krb5.keytab?

The problem is that I don't really know how the creation of keytabs is 
supposed to go. I also didn't really understand the documentation. but this 
is what I did after reading multiple howto's:

On the server I executed the following:
# xp2600pro.linuxnet.nl is the client computer name.
kadmin.local -q "addprinc -randkey nfs/xp2600pro.linuxnet.nl at linuxnet.nl"

kadmin.local -q "ktadd -e des-cbc-crc:normal -k /tmp/krb5.keytab 
nfs/xp2600pro.linuxnet.nl at linuxnet.nl"

I then copied this file to /etc/krb5.keytab on the client.
But this does not seem to resolve my problem.
I don't know what to do next, is there anyone out there who can enlighten me?

Thanks in return.

Mark Hannessen.


More information about the Kerberos mailing list