Kerberized NFSv4 problems
Erich Weiler
weiler at soe.ucsc.edu
Mon Jun 19 15:24:35 EDT 2006
> Your nfs server's keytab has kvno 5. You need to do the getprinc on
> that same principal to see what the key version number is in the KDC.
> (Your klist shows principal nfs/nfsserver at MYREALM.COM, but the
> getprinc output is for nfs/solarisclient.domain.com at MYREALM.COM.)
>
> The kvno of the extracted key in the nfs server's keytab must match
> the kvno of that same principal in the KDC. To make sure they match,
> extract a new keytab for the nfs/nfsserver principal.
Ah, I see what you're saying I think, sorry about the confusion:
kadmin: getprinc nfs/nfsserver.domain.com
Principal: nfs/nfsserver.domain.com at MYREALM.COM
Expiration date: [never]
Last password change: Mon Jun 19 12:15:22 PDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Jun 19 12:15:22 PDT 2006 (admin/admin at MYREALM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 13, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
Then:
% klist -e -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
5 05/08/06 10:04:34 nfs/nfsserver.domain.com at MYREALM.COM (DES cbc
mode with CRC-32)
So we're looking at kvno 13 vs kvno 5? By extracting a new keytab, you
mean just remove the nfs/nfsserver.domain.com from the KDC's
/etc/krb5.keytab file and do a new 'ktadd -e des-cbc-crc:normal
nfs/nfsserver.domain.com' (in kadmin) to re-add it? And it should
re-add with the matching version number automatically?
Sorry about the ignorance here; I'm fairly new to Kerberos.
ciao, erich
More information about the Kerberos
mailing list