rpc.svcgssd: ERROR: GSS-API

Kevin Coffman kwc at citi.umich.edu
Tue Aug 8 13:38:03 EDT 2006 

On 8/8/06, Ahmed Ahmed <itngsse at yahoo.com> wrote:
> Hello,
>
> I was trying to configure kerberised NFS4 but no success, I need help from
> any body running NFS4 with kerberos.  This is may situation:
>
> 1. I am using windowns 2003 server as KDC.
>
> 2. Created krb5.keytab for the NFS sever (nfs4srv.nfs4.co.uk) and copied to
> NFS sever (nfs4srv.nfs4.co.uk) and and client (nfs4clnt.nfs4.co.uk).

Each machine should have its own principal and keytab.  (In other
words, you should have a separate keytab for
nfs/nfs4clnt.nfs4.co.uk at REALM)  Think of the keytab as the machine's
private key, only known to it and the KDC.  It shouldn't be shared
among machines.


> 3. kinit -k nfs/nfs4srv.nfs4.co.uk is working with no error both server and
> client.
>
> 4. mount -t nfs4 -o sec=krb5 nfs4srv.nfs4.co.uk:/export/home /mnt/krb5
>
> #mount: block device nfs4srv.nfs4.co.uk:/export/home is write-protected,
> mounting read-only
> mount: cannot mount block device nfs4srv.nfs4.co.uk:/export/home read-only
>
> 5. On the server
>
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]: WARNING: gss_accept_sec_context
> failed
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]: ERROR: GSS-API: error in
> handle_nullreq: gss_accept_sec_context(): Miscellaneous failure - Key table
> entry not found
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]: sending null reply
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]:
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]: WARNING: failed to write message
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]: finished handling null request
> Aug  8 15:20:21 sir164d rpc.svcgssd[28435]: entering poll


If this is a recent version of rpc.svcgssd, you can turn up the debug
logging and see the principal name it is trying to find in the keytab.
 The most common cause is a misconfigured /etc/host or /etc/krb5.conf.
 svcgssd makes a gss call with "nfs" and expects to get the correct
hostname and realm to build the principal name.


> 6. On both server and cleint
>
>  ~]# klist -e -k -t /etc/krb5.keytab
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    3 08/08/06 15:08:38
> nfs/nfs4srv.nfs4.co.uk at TEST.NFS4.CO.UK (DES cbc mode with
> CRC-32)
>
> I have tried almost all options so please any Ideas?!!!!
>
> Ahmed

More information about the NFSv4 mailing list