Kerberized NFSv4 problems

Erich Weiler weiler at
Mon Jun 19 15:24:35 EDT 2006

> Your nfs server's keytab has kvno 5.  You need to do the getprinc on
> that same principal to see what the key version number is in the KDC.
> (Your klist shows principal nfs/nfsserver at MYREALM.COM, but the
> getprinc output is for nfs/ at MYREALM.COM.)
> The kvno of the extracted key in the nfs server's keytab must match
> the kvno of that same principal in the KDC.  To make sure they match,
> extract a new keytab for the nfs/nfsserver principal.

Ah, I see what you're saying I think, sorry about the confusion:

kadmin:  getprinc nfs/
Principal: nfs/ at MYREALM.COM
Expiration date: [never]
Last password change: Mon Jun 19 12:15:22 PDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Jun 19 12:15:22 PDT 2006 (admin/admin at MYREALM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 13, DES cbc mode with CRC-32, no salt
Policy: [none]


% klist -e -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- 
    5 05/08/06 10:04:34 nfs/ at MYREALM.COM (DES cbc 
mode with CRC-32)

So we're looking at kvno 13 vs kvno 5?  By extracting a new keytab, you 
mean just remove the nfs/ from the KDC's 
/etc/krb5.keytab file and do a new 'ktadd -e des-cbc-crc:normal 
nfs/' (in kadmin) to re-add it?  And it should 
re-add with the matching version number automatically?

Sorry about the ignorance here; I'm fairly new to Kerberos.

ciao, erich

More information about the Kerberos mailing list