GSSAPI on Linux using Windows AD Servers as KDCs - Errors about Keytab Entries

Jason D. McCormick jason at devrandom.org
Wed Jan 2 14:13:44 EST 2008 

Hello,

I'm attempting to get NFSv4 working using Krb5/GSS credentials.  I've
successfully set this up a number of times using MIT KDCs.  However for
this implementation I have to use existing MS Windows Active Directory
(2003R2) servers as the KDCs (ad0.loc1.example.com,
ad1.loc1.example.com).  I've distilled my problem down to the GSSAPI
message "GSS-API error accepting context: Key table entry not found".
The keytab entry does, however, exist and works just fine if I do a
'kinit -k'.  I've been testing configuration using the
gss-server/gcc-client tools and can reproduce the exact same behavior
(i.e. this isn't something in the NFSv4 code).

Here's the setup - There are two Windows AD servers providing a Kerberos
realm (and Windows domain) named AD.EXAMPLE.COM.  The Linux hosts I'm
trying to use as clients and servers are named nfs.loc1.example.com and
client.loc1.example.com.  This is a multi-site Active Directory forest
and my "location" is the domain loc1.example.com.  Within krb5.conf I
have the following defined:

  [libdefaults]
    default_realm = AD.EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc

  [realms]
    EXAMPLE.COM = {
      kdc = ad0.loc1.example.com:88
      kdc = ad1.loc1.example.com:88
      admin_server = ad0.loc1.example.com:749
    }

  [domain_realm]
    .example.com = AD.EXAMPLE.COM
    example.com = AD.EXAMPLE.COM
    .loc1.example.com = AD.EXAMPLE.COM
    loc1.example.com = AD.EXAMPLE.COM

If I perform 'kinit jason' from the prompt, I get prompted for my
jason at AD.EXAMPLE.COM password and successfully acquire a TGT.  I have
stashed the principals host/nfs.loc1.example.com at AD.EXAMPLE.COM and
nfs/nfs.loc1.example.com at AD.EXAMPLE.COM in /etc/krb5.keytab.  I can
successfully acquire a TGT when performing 'kinit -k' as one of these
principals.  However if I setup a test GSS setup using gss-server and
gss-client I encounter the aforementioned keytab error.  I am doing the
following:

(server)
$ gss-server -port 10000 -once -verbose nfs

(client)
$ gss-client -port 10000 nfs.loc1.example.com nfs hi

The client reports:

  GSS-API error initializing context: Miscellaneous failure
  GSS-API error initializing context: Generic error (see e-text)

If I run the server in an strace, it write()s back to the client

  55GSS-API error accepting context: Miscellaneous Failure
  59GSS-API error accepting context: Key table entry not found

The first message reports a return of 55 and the second reports 59.  I
was able to dig around in rpc.svcgssd's logging and found a similar
error condition there about key table entries.  If I perform a similar
test using at another site using MIT KDCs, gss-server/gss-client works
as I would expect.  Am I missing some subtlety in the configuration
that's unique to using Windows as the KDC and how the realms and DNS
names are?

Thanks.

- Jason

More information about the Kerberos mailing list