Kerberos contexts - definition?

Derek Warren warren at sfu.ca
Mon Aug 27 14:59:25 EDT 2012


Thank you for the insightful responses, Russ, Nico and Steve.

On 2012-08-27, at 10:11 AM, Nico Williams wrote:
> I'm going to assume that you meant "GSS context", not "Kerberos context".

I'm going to assume you're correct since I'm quite, quite lost. :-)



>> 2) Why would rpc.gssd on the client be unsuccessful in creating a
>> Kerberos context?
> 
> Depends on which kind of context you really meant.  Assuming you meant
> "GSS security context"... it could be lots of things.


Assuming I have no clue what I'm doing (cough) what are some basic 
things I could poke at to begin troubleshooting?  I'm not even sure
where to start.  The NFS client?  The KDC?

Which of those two contexts do you suppose the authors of 
nfs-utils meant when writing error messages like this:

> rpc.gssd: WARNING: Failed to create krb5 context for user with uid 0 for server nfsserver.example.com
> rpc.gssd: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_AD.EXAMPLE.COM for server nfsserver.example.com





On 2012-08-27, at 10:59 AM, steve at steve-ss.com wrote:
> For us, nfs4 with a Samba4 AD, gssd fails when it can't find e.g. a 
> machine key in (by default) /etc/krb5.keytab

Thank you, Steve. My previous diatribe shows that _all_ of those
principals are present in /etc/krb5.keytab on the NFS server and client.

Interesting that the only obvious differences here are that your setup 
works and doesn't contain any Microsoft products...

Are you using Samba4 to do AD<->UID/GID mapping as well?



On 2012-08-27, at 11:11 AM, Douglas E. Engert wrote:
> http://joshuawise.com/kerberos-nfs
> has some debugging, and take about idmapd issues

Thank you, but we're erroring out despite having all of the pieces 
that he has documented already in place.


--Derek


--
Derek Warren, IT Services, Research Computing Group, Simon Fraser University



More information about the Kerberos mailing list