nfs keytab trouble.

Kevin Coffman kwc at citi.umich.edu
Mon May 3 09:50:02 EDT 2004


Mark,

It looks like you actually used the "-m" option to rpc.svcgssd?  If 
not, try adding that; also "-vvv" will give more verbose output that 
might give a better clue.

What does your /etc/krb5.conf look like on the client machine?

nfsv4-wg at citi.umich.edu might be a better place for more help.

P.S.
This shouldn't be your problem, but the convention is to name your 
Kerberos realm with all capitals, i.e. LINUXNET.NL.

> Hi
> 
> I am pretty new to the kerberos world and ran into some trouble trying to get 
> kerbolized nfs up and running.
> 
> my current status.
> 
> I have krb5kdc and kadmind running fine. 
> This is how my krb5.conf looks live on my server and my client.
> (but I removed the "profile = /kerberos/etc/krb5kdc/kdc.conf" line on the 
> clients)
> 
> [logging]
>     kdc = FILE:/kerberos/var/log/krb5kdc.log
>     admin_server = FILE:/kerberos/var/log/kadmin.log
>     default = FILE:/kerberos/var/log/krb5lib.log
> 
> [libdefaults]
>     ticket_lifetime = 24000
>     default_realm = linuxnet.nl
>     default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
>     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>     dns_lookup_kdc = true
>     dns_lookup_realm = true
> 
> [realms]
>     linuxnet.nl = {
>         kdc = kerberos.linuxnet.nl:88
>         admin_server = kerberos.linuxnet.nl:749
>         default_domain = linuxnet.nl
>     }
> 
> [domain_realm]
>     .linuxnet.nl = linuxnet.nl
>     linuxnet.nl = linuxnet.nl
> 
> [kdc]
>     profile = /kerberos/etc/krb5kdc/kdc.conf
> 
> [appdefaults]
>     pam = {
>        krb4_convert = false
>     }
>     kinit = {
>        forwardable = true
>        renewable = true
>     }
> 
> on my server I also have a kdc.conf file containing the following.
> 
> [kdcdefaults]
>     acl_file = /kerberos/etc/krb5kdc/kadm5.acl
>     dict_file = /usr/share/dict/words
>     admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
> 
> [realms]
>     linuxnet.nl = {
>         database_name = /kerberos/etc/krb5kdc/principal
>         admin_keytab = /kerberos/etc/krb5kdc/kadm5.keytab
>         acl_file = /kerberos/etc/krb5kdc/kadm5.acl
>         dict_file = /kerberos/etc/krb5kdc/kadm5.dict
>         key_stash_file = /kerberos/etc/krb5kdc/.k5.linuxnet.nl
>         master_key_type = des3-hmac-sha1
>         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>     }
> 
> I am currently able to log into kadmin and kinit on both server and client.
> So far, so good.
> 
> I then try to start nfsv4 using the following daemons and configs.
> rpc.mountd: seems to work fine
> rpc.idmapd: seems to work fine as well, uses the following config file
> 
> [General]
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> Domain = linuxnet.nl
> 
> [Mapping]
> Nobody-User = nfsnb
> Nobody-Group = nfsnb
> 
> but rpc.svcgssd -f outputs the following errors.
> 
> ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - No 
> principal in keytab matches desired name
> unable to obtain root (machine) credentials
> do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> 
> in /etc/krb5.keytab?
> 
> The problem is that I don't really know how the creation of keytabs is 
> supposed to go. I also didn't really understand the documentation. but this 
> is what I did after reading multiple howto's:
> 
> On the server I executed the following:
> # xp2600pro.linuxnet.nl is the client computer name.
> kadmin.local -q "addprinc -randkey nfs/xp2600pro.linuxnet.nl at linuxnet.nl"
> 
> kadmin.local -q "ktadd -e des-cbc-crc:normal -k /tmp/krb5.keytab 
> nfs/xp2600pro.linuxnet.nl at linuxnet.nl"
> 
> I then copied this file to /etc/krb5.keytab on the client.
> But this does not seem to resolve my problem.
> I don't know what to do next, is there anyone out there who can enlighten me?
> 
> Thanks in return.
> 
> Mark Hannessen.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list