Kerberos setup on CentOS

Alan Taylor ataylor at ieee.org
Thu Dec 3 18:34:33 EST 2009 

Greetings,

I am trying to install kerberos on CentOS 5.4 (for NFS4)
Have spent about 3 days and read all the docs I can find.
Detailed logs follow (names changed for security) if anyone can spot any
clues ...

1) packages krb5-libs.x86_64 krb5-server.x86_64 krb5-workstation.x86_64
installed
private network on 192.168.8.0/24
KDC wil be kdc.mydomain.hk 192.168.100.10

2) check DNS (no server for private net, all /etc/hosts):
#hostname
kdc.mydomain.hk
#dig kdc.mydomain.hk +short
192.168.100.10
#dig -x 192.168.100.10 +short
kdc.mydomain.hk.

3) /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.HK
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MYDOMAIN.HK = {
  kdc = kdc.mydomain.hk:88
  admin_server = kdc.mydomain.hk:749
  default_domain = mydomain.hk
 }

[domain_realm]
 .mydomain.hk = MYDOMAIN.HK
 mydomain.hk = MYDOMAIN.HK

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

4) /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 MYDOMAIN.HK = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
 }

5) create database
#kdb5_util create -s

6) /var/kerberos/krb5kdc/kadm5.acl
*/admin at MYDOMAIN.HK       *

7) create principals

#kadmin.local
    Authenticating as principal root/admin at MYDOMAIN.HK with password.
    kadmin.local: addprinc root/admin at MYDOMAIN.HK
    WARNING: no policy specified for "root/admin at MYDOMAIN.HK"; defaulting to
no policy
    Enter password for principal root/admin at MYDOMAIN.HK:  <= Enter a
password.
    Re-enter password for principal root/admin at MYDOMAIN.HK:  <= Type it
again.
    Principal "root/admin at MYDOMAIN.HK" created.
    q

#chkconfig --levels 0123456 krb524 off
#service krb5kdc start
#service kadmin start

# kadmin
Authenticating as principal root/admin at MYDOMAIN.HK with password.
Password for root/admin at MYDOMAIN.HK: xxxx

kadmin:  addprinc -randkey host/kdc.mydomain.hk
WARNING: no policy specified for host/kdc.mydomain.hk at MYDOMAIN.HK;
defaulting to no policy
Principal "host/kdc.mydomain.hk at MYDOMAIN.HK" created.

kadmin:  ktadd host/KDC.mydomain.hk
Entry for principal host/kdc.mydomain.hk with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc.mydomain.hk with kvno 3, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc.mydomain.hk with kvno 3, encryption type DES
with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc.mydomain.hk with kvno 3, encryption type DES
cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.

kadmin:   addprinc -randkey host/kdc_client.mydomain.hk
WARNING: no policy specified for host/kdc_client.mydomain.hk at MYDOMAIN.HK;
defaulting to no policy
Principal "host/kdc_client.mydomain.hk at MYDOMAIN.HK" created.

kadmin:  addprinc -randkey nfs/kdc.mydomain.hk
WARNING: no policy specified for nfs/kdc.mydomain.hk at MYDOMAIN.HK; defaulting
to no policy
Principal "nfs/kdc.mydomain.hk at MYDOMAIN.HK" created.

kadmin:  addprinc -randkey nfs/kdc_client.mydomain.hk
WARNING: no policy specified for nfs/kdc_client.mydomain.hk at MYDOMAIN.HK;
defaulting to no policy
Principal "nfs/kdc_client.mydomain.hk at MYDOMAIN.HK" created.

kadmin:  addprinc user1
WARNING: no policy specified for user1 at MYDOMAIN.HK; defaulting to no policy
Enter password for principal "user1 at MYDOMAIN.HK": xxxxxx
Re-enter password for principal "user1 at MYDOMAIN.HK": xxxxxx
Principal "user1 at MYDOMAIN.HK" created.

kadmin:  q

#shutdown -r now
...
Starting Kerberos 5 Admin Server:    [OK]
Starting Kerberos 5 KDC:                [OK]
...
Starting RPC svcgssd                        [FAILED]

/var/log/warning.log
...
rpc.gssd[2309] Using keytab file '/etc/krb5.keytab'
rpc.gssd[2309] Processing keytab entry for principal 'host/kdc.mydomain.hk@
MYDOMAIN.HK'
rpc.gssd[2309] We will NOT use this entry (host/kdc.mydomain.hk at MYDOMAIN.HK)
... above 2 lines repeated 7 times
rpc.gssd[2309]: ERROR: No usable keytab entries found in keytab
'/etc/krb5.keytab'
rpc.gssd[2309]: Do you have a valid keytab entry for
nfs/<your.host>@<YOUR.REALM> in keytab file /etc/krb5.keytab ?
rpc.gssd[2309]: Continuing without (machine) credentials - nfs4 mounts with
Kerberos will fail
rpc.svcgssd[2437]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified
GSS failure.  Minor code may provide more information - No principal in
keytab matches desired name
rpc.svcgssd[2437]: Unable to obtain credentials for 'nfs'
rpc.svcgssd[2437]: unable to obtain root (machine) credentials
rpc.svcgssd[2437]: do you have a keytab entry for
nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery
directory
kernel: NFSD: starting 90-second grace period


Many thanks,
Brgds/Alan

More information about the Kerberos mailing list