kvno X not found in keytab; ticket is likely out of date

Radoslav Bodó bodik at cesnet.cz
Mon Jul 22 06:39:43 EDT 2019 

I'm definitely not an expert on the field, but I'd guess you'd have to:


1) wait until client tickets expires and clients requests new ones for
   current kvno


2) due to linux NFS credential storage burried deep in the kernel,
   reboot all clients (sometimes just restarting services helps,
   sometimes does not ;(


3) anyway the best would be to pull old key from backups (either from
kdc or server backup) and put it back to KDC under correct kvno

depending on your skills and other factors of your environment,
restoring whole KDC db might be easier than to mess with single entry ...


bodik


Dne 07/22/2019 v 12:22 PM Laura Smith napsal(a):
> Ok, I hold my hand up, I messed up.  So the question is, how do I get myself out of this mess ?
> 
> A summary of how I got here:
> • I have an NFS server and a bunch of clients connecting and auth using krb5.
> • This was all working beautifully.... until today.
> • Through an act of pure fat-fingered stupidity, I ran "addprinc -randkey nfs/name.of.nfs.server" when setting up a new NFS client (i.e used server name instead of client name).
> • Now everything is broken (none of the NFS clients can connect to the server and I am seeing the error messages below on the NFS server).
> • keytab on NFS server only had credentials for NFS server, so I deleted the keytab and created a new one through ktadd
> • that didnt' work.  a reboot of the NFS server didn't work.
> 
> Summary ?  I'm up a smelly creek without a paddle !
> 
> Messages on NFS server:
> 
> 2019-07-22T11:01:35.075247+01:00 foo rpc.svcgssd[847]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Request ticket server nfs/foo.example.com at EXAMPLE.CORP kvno 3 not found in keytab; ticket is likely out of date
> 2019-07-22T11:01:39.460944+01:00 foo rpc.svcgssd[847]: message repeated 41 times: [ ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Request ticket server nfs/foo.example.com at EXAMPLE.CORP kvno 3 not found in keytab; ticket is likely out of date]

More information about the Kerberos mailing list