Linux client kerberos problem with attempted nfsv4 connection...

Jeffrey C Albro jalbro at bu.edu
Mon May 23 16:30:47 EDT 2005 


Here is the krb5.conf file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 36000
 default_realm = AD.BU.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]

 AD.BU.EDU = {
   kdc = adc1.bu.edu
   admin_server = ad.bu.edu
 }

 BU.EDU = {
   kdc = kerberos1.bu.edu:750
   kdc = kerberos2.bu.edu:750
   kdc = kerberos3.bu.edu:750
   admin_server = kerberos1.bu.edu
   default_domain = bu.edu
 }

 bu.edu = {
  kdc = kerberos1.bu.edu
  kdc = kerberos2.bu.edu
  kdc = kerberos3.bu.edu
  admin_server = kerberos1.bu.edu
 }

[domain_realm]
 .bu.edu = bu.edu
 bu.edu = bu.edu
 server.bu.edu = AD.BU.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   ignore_afs = true
   minimum_uid = 3000
 }

###############################

When I comment out these lines:

#dns_lookup_realm = false
#dns_lookup_kdc = false

the messages change to:

May 23 16:21:58 client rpc.gssd[6442]: Using keytab file 
'/etc/krb5.keytab'
May 23 16:21:58 client rpc.gssd[6442]: WARNING: Client not found in 
Kerberos database while getting initial ticket for principal 
'nfs/client.bu.edu at AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'
May 23 16:21:58 client rpc.gssd[6442]: ERROR: No usable machine 
credentials obtained
May 23 16:21:58 client rpc.gssd[6442]: WARNING: Failed to obtain machine 
credentials for connection to server server.bu.edu

Sooo....  It seems I have something screwed up with the keytab and realm.

 -Jeff


On Fri, 20 May 2005, Lord of the Union wrote:

> Hi,
> 
>  > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
>  > requested realm while getting initial ticket for principal
>  > 'nfs/client.bu.edu at AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'
> 
> The above error could be a key to the problem.Can you please post the 
> krb5.conf? Also verify that the KDC is being resolved correctly to full 
> qualified domain name correctly.
> 
>             = Ram Marti
> 
> 
> Jeffrey C Albro wrote:
> > I'm trying to create a krb5 authenticated nfsv4 connection from a Linux 
> > Fedora core 3 client to a NetApp filer server. 
> > 
> > The trick is, the NetApp is running kerbors connected to a Windows AD 
> > KDC...
> > 
> > I've created a keytab for the client with a principal of:
> > 
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ---- 
> > --------------------------------------------------------------------------
> >    4 nfs/client.bu.edu at AD.BU.EDU
> > 
> > 
> > On the client a mount attempt gives
> > 
> > client:~# mount -tnfs4 -o sec=krb5 server.bu.edu:/vol/unix_share 
> > /mnt/unix_share
> > mount: block device server.bu.edu:/vol/unix_share is write-protected, 
> > mounting read-only
> > mount: cannot mount block device server.bu.edu:/vol/unix_share read-only
> > 
> > Mounting without the -o sec=krb5 works fine.
> > 
> > Heres where I need help...  I get the following suspicous messages in 
> > /var/log/messages:
> > 
> > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for 
> > requested realm while getting initial ticket for principal 
> > 'nfs/client.bu.edu at AD.BU.EDU' from keytab 'FILE:/etc/krb5.keytab'
> > 
> > and
> > 
> > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Failed to obtain 
> > machine credentials for connection to server server.bu.edu
> > 
> > The first one is wierd as I have krb5.conf set up, have joined the domain
> > with samba, and can kinit an AD account just fine.
> > 
> > I've googled these errors with no luck.  I'm also working with nfsv4 and 
> > netapp people on it, but I thought I would give this list a try as well.
> > 
> > Anyone have any ideas?
> > 
> > Thanks!
> > 
> > -Jeff
> > 
> > 
> > -----------------------------------------------------------
> > Jeffrey Albro | Systems Administrator | Boston University
> >    - Department of Electrical and Computer Engineering -
> > jalbro at bu.edu |  Photonics, Room 305  | 617-358-2785
> > -----------------------------------------------------------
> > 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list