krb5 + NFS rpc.svcgssd - GSS_S_FAILURE - Wrong principal in request

0xbabaf00l 0xbabaf00l at gmail.com
Tue Dec 22 03:00:09 EST 2015 

Hi,


I reinstalled a NFS fileserver with a failed root filesystem.

I deleted its nfs principal on the KDC, created a new one and added
this one to a keytab file.

When I start rpc.svcgssd on the fileserver I get this error message:

[...]
entering poll
leaving poll
handling null request
WARNING: gss_accept_sec_context failed
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more
information) - Wrong principal in request
sending null reply
finished handling null request
[...]


I tried to supply the principal as an argument:
root at fileserver:~# -p "nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD"

The message changes, but it didn't work either:

[...]
entering poll
leaving poll
handling null request
WARNING: gss_accept_sec_context failed
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more
information) - Key version number for principal in key table is
incorrect
sending null reply
finished handling null request
[...]


fileserver runs Debian Jessie (8.2)

The following versions are installed:
root at fileserver:~# dpkg -l | grep krb5
ii  krb5-config                     2.3                      all
   Configuration files for Kerberos Version 5
ii  krb5-user                       1.12.1+dfsg-19+deb8u1    amd64
   Basic programs to authenticate using MIT Kerberos
ii  libgssapi-krb5-2:amd64          1.12.1+dfsg-19+deb8u1    amd64
   MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64        1.6~rc2+dfsg-9          amd64
  Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                 1.12.1+dfsg-19+deb8u1    amd64
   MIT Kerberos runtime libraries
ii  libkrb5support0:amd64           1.12.1+dfsg-19+deb8u1    amd64
   MIT Kerberos runtime libraries - Support library
ii  sssd-krb5                       1.11.7-3                 amd64
   System Security Services Daemon -- Kerberos back end
ii  sssd-krb5-common                1.11.7-3                 amd64
   System Security Services Daemon -- Kerberos helpers


root at fileserver:~# hostname -f
fileserver.sub.mydomain.tld

root at fileserver:~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD (des-cbc-crc)
   2 host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD (des3-cbc-sha1)
   2 nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD (des-cbc-crc)
   2 nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD (des3-cbc-sha1)

root at fileserver:~# kinit -k -p nfs/fileserver.sub.mydomain.tld
root at fileserver:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD

Valid starting       Expires              Service principal
12/22/2015 08:52:16  12/23/2015 08:52:17
krbtgt/SUB.MYDOMAIN.TLD at SUB.MYDOMAIN.TLD
        renew until 12/29/2015 08:52:17


root at fileserver:~# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SUB.MYDOMAIN.TLD
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true
 default_tgs_enctypes = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc
 permitted_enctypes = des-cbc-crc


[realms]
 SUB.MYDOMAIN.TLD = {
  kdc = kdc.sub.mydomain.tld
  admin_server = kdc.sub.mydomain.tld
 }

[domain_realm]
 sub.mydomain.tld = SUB.MYDOMAIN.TLD
 .sub.mydomain.tld = SUB.MYDOMAIN.TLD

kdc:~# kadmin.local -q "getprinc
nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD"
Authenticating as principal root/admin at SUB.MYDOMAIN.TLD with password.
Principal: nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD
Expiration date: [never]
Last password change: Mon Dec 21 21:28:01 CET 2015
Password expiration date: [none]
Maximum ticket life: 31 days 00:00:00
Maximum renewable life: 62 days 00:00:00
Last modified: Mon Dec 21 21:28:01 CET 2015 (root/admin at SUB.MYDOMAIN.TLD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
MKey: vno 1
Attributes:
Policy: [none]


This is how I created the keytab:

kdc:~# kadmin.local -q "add_principal -requires_preauth -randkey
host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD"
Authenticating as principal root/admin at SUB.MYDOMAIN.TLD with password.
WARNING: no policy specified for
host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD; defaulting to no
policy
Principal "host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD" created.
kdc:~# kadmin.local -q "add_principal -requires_preauth -randkey
nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD"
Authenticating as principal root/admin at SUB.MYDOMAIN.TLD with password.
WARNING: no policy specified for
nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD; defaulting to no
policy
Principal "nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD" created.

kdc:~# kadmin.local -q "ktadd -k /root/fileserver.keytab
host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD"
Authenticating as principal root/admin at SUB.MYDOMAIN.TLD with password.
Entry for principal host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD
with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/root/fileserver.keytab.
Entry for principal host/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD
with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added
to keytab WRFILE:/root/fileserver.keytab.
kdc:~# kadmin.local -q "ktadd -k /root/fileserver.keytab
nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD"
Authenticating as principal root/admin at SUB.MYDOMAIN.TLD with password.
Entry for principal nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD
with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/root/fileserver.keytab.
Entry for principal nfs/fileserver.sub.mydomain.tld at SUB.MYDOMAIN.TLD
with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added
to keytab WRFILE:/root/fileserver.keytab.


I ran tcpdump, but there is no communication to the kdc when rpv.svcgssd starts.



Any idea what's wrong?

More information about the Kerberos mailing list