Kerberized NFSv4 problems
Kevin Coffman
kwc at citi.umich.edu
Mon Jun 19 15:45:28 EDT 2006
On 6/19/06, Erich Weiler <weiler at soe.ucsc.edu> wrote:
> > Your nfs server's keytab has kvno 5. You need to do the getprinc on
> > that same principal to see what the key version number is in the KDC.
> > (Your klist shows principal nfs/nfsserver at MYREALM.COM, but the
> > getprinc output is for nfs/solarisclient.domain.com at MYREALM.COM.)
> >
> > The kvno of the extracted key in the nfs server's keytab must match
> > the kvno of that same principal in the KDC. To make sure they match,
> > extract a new keytab for the nfs/nfsserver principal.
>
> Ah, I see what you're saying I think, sorry about the confusion:
>
> kadmin: getprinc nfs/nfsserver.domain.com
> Principal: nfs/nfsserver.domain.com at MYREALM.COM
> Expiration date: [never]
> Last password change: Mon Jun 19 12:15:22 PDT 2006
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Mon Jun 19 12:15:22 PDT 2006 (admin/admin at MYREALM.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 13, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
> Then:
>
> % klist -e -k -t /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 5 05/08/06 10:04:34 nfs/nfsserver.domain.com at MYREALM.COM (DES cbc
> mode with CRC-32)
>
> So we're looking at kvno 13 vs kvno 5? By extracting a new keytab, you
> mean just remove the nfs/nfsserver.domain.com from the KDC's
> /etc/krb5.keytab file and do a new 'ktadd -e des-cbc-crc:normal
> nfs/nfsserver.domain.com' (in kadmin) to re-add it? And it should
> re-add with the matching version number automatically?
Basically, yes. What ktadd does is generate a new random key for the
principal and put it into the Kerberos database and also into the
keytab. If you do another ktadd for that principal, it should
generate key version number 14 and put that same key into the Kerberos
database and into the keytab. You can check this by doing the
getprinc and klist commands afterwards and verifying that both have
kvno 14.
HTH,
K.C.
More information about the Kerberos
mailing list