nfs keytab trouble.
Mark Hannessen
msh104 at xs4all.nl
Sun May 2 08:05:55 EDT 2004
Hi
I am pretty new to the kerberos world and ran into some trouble trying to get
kerbolized nfs up and running.
my current status.
I have krb5kdc and kadmind running fine.
This is how my krb5.conf looks live on my server and my client.
(but I removed the "profile = /kerberos/etc/krb5kdc/kdc.conf" line on the
clients)
[logging]
kdc = FILE:/kerberos/var/log/krb5kdc.log
admin_server = FILE:/kerberos/var/log/kadmin.log
default = FILE:/kerberos/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = linuxnet.nl
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
linuxnet.nl = {
kdc = kerberos.linuxnet.nl:88
admin_server = kerberos.linuxnet.nl:749
default_domain = linuxnet.nl
}
[domain_realm]
.linuxnet.nl = linuxnet.nl
linuxnet.nl = linuxnet.nl
[kdc]
profile = /kerberos/etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
krb4_convert = false
}
kinit = {
forwardable = true
renewable = true
}
on my server I also have a kdc.conf file containing the following.
[kdcdefaults]
acl_file = /kerberos/etc/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
[realms]
linuxnet.nl = {
database_name = /kerberos/etc/krb5kdc/principal
admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
acl_file = /kerberos/etc/krb5kdc/kadm5.acl
dict_file = /kerberos/etc/krb5kdc/kadm5.dict
key_stash_file = /kerberos/etc/krb5kdc/.k5.linuxnet.nl
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
I am currently able to log into kadmin and kinit on both server and client.
So far, so good.
I then try to start nfsv4 using the following daemons and configs.
rpc.mountd: seems to work fine
rpc.idmapd: seems to work fine as well, uses the following config file
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = linuxnet.nl
[Mapping]
Nobody-User = nfsnb
Nobody-Group = nfsnb
but rpc.svcgssd -f outputs the following errors.
ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - No
principal in keytab matches desired name
unable to obtain root (machine) credentials
do you have a keytab entry for nfs/<your.host>@<YOUR.REALM>
in /etc/krb5.keytab?
The problem is that I don't really know how the creation of keytabs is
supposed to go. I also didn't really understand the documentation. but this
is what I did after reading multiple howto's:
On the server I executed the following:
# xp2600pro.linuxnet.nl is the client computer name.
kadmin.local -q "addprinc -randkey nfs/xp2600pro.linuxnet.nl at linuxnet.nl"
kadmin.local -q "ktadd -e des-cbc-crc:normal -k /tmp/krb5.keytab
nfs/xp2600pro.linuxnet.nl at linuxnet.nl"
I then copied this file to /etc/krb5.keytab on the client.
But this does not seem to resolve my problem.
I don't know what to do next, is there anyone out there who can enlighten me?
Thanks in return.
Mark Hannessen.
More information about the Kerberos
mailing list