krb5 + NFS rpc.svcgssd - GSS_S_FAILURE - Wrong principal in request

Greg Hudson ghudson at mit.edu
Wed Dec 23 00:45:56 EST 2015


On 12/22/2015 03:00 AM, 0xbabaf00l wrote:
> WARNING: gss_accept_sec_context failed
> ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
> GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more
> information) - Key version number for principal in key table is
> incorrect

Since the keytab kvno matches the KDB kvno for the principal, this error
probably means that the client has stale tickets.

If you are truly getting this error on startup, I don't know enough
about the NFS implementation to know what rpc.svcgssd is accepting
authentication from.  You need to find the relevant credential cache and
remove it, or perhaps refresh it with kinit.

(If this seems unnecessarily aggravating, it is.  The protocol was
designed under the assumption that services can retain old keys for some
period of time after new ones are generated.  That assumption is much
less true in an age where servers are frequently virtual and commonly
rebuilt.  See
http://k5wiki.kerberos.org/wiki/Projects/Graceful_recovery_after_destructive_service_rekey
for more details.)


More information about the Kerberos mailing list