gss-client error

Marcus Watts mdw at umich.edu
Wed Aug 23 05:41:26 EDT 2006 

"lizhong" <lizhong at ncic.ac.cn> writes:
> SGkgYWxsLA0KICAgIEkgYW0gdXNpbmcgZ3NzLWNsaWVudCB0byBjb25uZWN0IHRvIG15IGdzcy1z
> ZXJ2ZXIuSSBoYXZlIDMgbGludXggbWFjaGluZXMgLG1hY2hpbmUgQSBpcyBydW5uaW5nIGtkYyxt
> YWNoaW5lIEIgaXMgcnVubmluZyBnc3Mtc2VydmVyLGFuZCBtYWNoaW5lIEMgaXMgcnVubmluZyBn
> c3MtY2xpZW50Lg0KICAgIEkgaGF2ZSBjcmVhdGVkIHRlc3QvZ2Nub2RlMDI5QHRlc3QuY29tIGZv
...

which contains this:
...
> [root at gcnode029 gss-sample]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    5 test/gcnode029 at test.com
...
> [root at gcnode026 gss-sample]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    6 test/gcnode029 at test.com
...

Looks to me like you extracted the same principal on 2 machines.  When
you extracted the 2nd keytab, you rendered the 1st useless.  From your
accompanying description, it sounds like you observed different
behavior - but that may be due to doing part of your testing before you
extracted the 2nd keytab.  Tickets you got for the principal before you
extracted the newer keytab would have worked against a server using the
older keytab.  The kvno is also larger than the usual initial default -
you must have created other keytabs or otherwise reset the key extra
times before you did this round of testing.

In general, if you want to use the same principal on more than one
machine, copy it externally, don't extract it again.  Better yet, use a
different principal for each machine.  You generally extract a new
keytab from the kdc when you intend old keytabs to no longer work.  You
can use ktutil to merge the old & new together if you intend to issue
new service keys but also want to honor outstanding tickets until they
expire.

It is usually better to include fully qualified host names in principal
names.  If your environment is large enough, somebody on the other side
of campus will want to create a "gcnode029" machine as well.

				-Marcus

More information about the Kerberos mailing list