rpc.svcgssd -- No principal in keytab...

Kevin Coffman kwc at citi.umich.edu
Thu Sep 21 14:39:58 EDT 2006 

On 9/21/06, Fernandez, Nestor <nestor_fernandez at hp.com> wrote:
>
>
> Kevin,
> We met at the bakeathon last week. While at the NFSv4 bakeathon, we ran into
> a problem w/ our HP-UX client and a Linux server.  I'm trying to set up a
> LInux box as an NFSv4 server over here and am running into problems.  I have
> a kerberos server already running.  Searching Google showed others have run
> into the problem so I was hoping I could get some help.
>
> I have installed RH EL, my kernel is vmlinuz-2.6.9-11.EL.  Whey I try
> running
>
> rpc.svcgssd -f -vvv
>
> I get:
>
> WARNING: unable to locate function krb5_gss_internal_release_oid in krb5
> mechanism library: there will be problems if multiple mechanisms are used!
> ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - No
> principal in keytab matches desired name
> unable to obtain root (machine) credentials
> do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in
> /etc/krb5.keytab?
> [root at nf73415a ~]# rpc.svcgssd -f -vvv
> WARNING: unable to locate function krb5_gss_internal_release_oid in krb5
> mechanism library: there will be problems if multiple mechanisms are used!
> ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - No
> principal in keytab matches desired name
> unable to obtain root (machine) credentials
> do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in
> /etc/krb5.keytab?
>
> A message from Bruce says that the Warning can be ignored however the ERROR
> is a bit more sever.  I think I have things (mostly :) ) set up correctly.
> If I do a klist -k, I see my nfs ticket:
>
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 nfs/nf73415a.americas.hpqcorp.net at HPNFS043.CUP.HP.COM
>    1 root/nf73415a.americas.hpqcorp.net at HPNFS043.CUP.HP.COM
>
> The one wrinkle here is that the kdc machine in the cup.hp.com domain
> whereas my NFSv4 server (and client) are in americas.hpqcorp.net domain.  I
> modified the kdc.realm file on the kdc machine to allow both domains.

Hi Nestor,

Just FYI, you're runing ancient code.  Newer versions will print the
name of the principal that it is looking to find in the keytab.  But
what you have should work.

The /etc/krb5.conf file on the nfs server machine needs to know the
mapping of its hostname to the correct realm.  So it should have a
mapping like the following:

[domain_realm]
  .americas.hpqcorp.net = HPNFS043.CUP.HP.COM

If adding that doesn't work please send me your krb5.conf file (on the
nfs server machine) and what it (and DNS) thinks its hostname is.
(Note that the Kerberos code expects that a reverse lookup returns the
"correct" hostname.)

K.C.

More information about the NFSv4 mailing list