nfs keytab trouble.
Kevin Coffman
kwc at citi.umich.edu
Mon May 3 09:50:02 EDT 2004
Mark,
It looks like you actually used the "-m" option to rpc.svcgssd? If
not, try adding that; also "-vvv" will give more verbose output that
might give a better clue.
What does your /etc/krb5.conf look like on the client machine?
nfsv4-wg at citi.umich.edu might be a better place for more help.
P.S.
This shouldn't be your problem, but the convention is to name your
Kerberos realm with all capitals, i.e. LINUXNET.NL.
> Hi
>
> I am pretty new to the kerberos world and ran into some trouble trying to get
> kerbolized nfs up and running.
>
> my current status.
>
> I have krb5kdc and kadmind running fine.
> This is how my krb5.conf looks live on my server and my client.
> (but I removed the "profile = /kerberos/etc/krb5kdc/kdc.conf" line on the
> clients)
>
> [logging]
> kdc = FILE:/kerberos/var/log/krb5kdc.log
> admin_server = FILE:/kerberos/var/log/kadmin.log
> default = FILE:/kerberos/var/log/krb5lib.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = linuxnet.nl
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> dns_lookup_kdc = true
> dns_lookup_realm = true
>
> [realms]
> linuxnet.nl = {
> kdc = kerberos.linuxnet.nl:88
> admin_server = kerberos.linuxnet.nl:749
> default_domain = linuxnet.nl
> }
>
> [domain_realm]
> .linuxnet.nl = linuxnet.nl
> linuxnet.nl = linuxnet.nl
>
> [kdc]
> profile = /kerberos/etc/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> krb4_convert = false
> }
> kinit = {
> forwardable = true
> renewable = true
> }
>
> on my server I also have a kdc.conf file containing the following.
>
> [kdcdefaults]
> acl_file = /kerberos/etc/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
>
> [realms]
> linuxnet.nl = {
> database_name = /kerberos/etc/krb5kdc/principal
> admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
> acl_file = /kerberos/etc/krb5kdc/kadm5.acl
> dict_file = /kerberos/etc/krb5kdc/kadm5.dict
> key_stash_file = /kerberos/etc/krb5kdc/.k5.linuxnet.nl
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> }
>
> I am currently able to log into kadmin and kinit on both server and client.
> So far, so good.
>
> I then try to start nfsv4 using the following daemons and configs.
> rpc.mountd: seems to work fine
> rpc.idmapd: seems to work fine as well, uses the following config file
>
> [General]
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> Domain = linuxnet.nl
>
> [Mapping]
> Nobody-User = nfsnb
> Nobody-Group = nfsnb
>
> but rpc.svcgssd -f outputs the following errors.
>
> ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - No
> principal in keytab matches desired name
> unable to obtain root (machine) credentials
> do you have a keytab entry for nfs/<your.host>@<YOUR.REALM>
> in /etc/krb5.keytab?
>
> The problem is that I don't really know how the creation of keytabs is
> supposed to go. I also didn't really understand the documentation. but this
> is what I did after reading multiple howto's:
>
> On the server I executed the following:
> # xp2600pro.linuxnet.nl is the client computer name.
> kadmin.local -q "addprinc -randkey nfs/xp2600pro.linuxnet.nl at linuxnet.nl"
>
> kadmin.local -q "ktadd -e des-cbc-crc:normal -k /tmp/krb5.keytab
> nfs/xp2600pro.linuxnet.nl at linuxnet.nl"
>
> I then copied this file to /etc/krb5.keytab on the client.
> But this does not seem to resolve my problem.
> I don't know what to do next, is there anyone out there who can enlighten me?
>
> Thanks in return.
>
> Mark Hannessen.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list