rpc.svcgssd -- No principal in keytab...

Thu Sep 21 15:10:33 EDT 2006

Here's the stuff, lemme know, thanks *a bunch*.

nestor

So.. hostname returns:
[root at nf73415a ~]# hostname
nf73415a

nslookup/DNS returns:
[root at nf73415a ~]# nslookup `hostname`
Server:         16.92.3.242
Address:        16.92.3.242#53

Name:   nf73415a.americas.hpqcorp.net
Address: 16.89.246.57

My krb5.conf file below:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HPNFS043.CUP.HP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ccache_type = 2

[realms]
 HPNFS043.CUP.HP.COM = {
  kdc = hpnfs043.cup.hp.com:88
  admin_server = hpnfs043.cup.hp.com
  default_domain = americas.hpqcorp.net
 }

[domain_realm]
 .americas.hpqcorp.net = HPNFS043.CUP.HP.COM
 .cup.hp.com = HPNFS043.CUP.HP.COM

-----Original Message-----
From: kwcoffman at gmail.com [mailto:kwcoffman at gmail.com] On Behalf Of
Kevin Coffman
Sent: Thursday, September 21, 2006 11:40 AM
To: Fernandez, Nestor
Cc: nfsv4 at linux-nfs.org; Shah, Smita
Subject: Re: rpc.svcgssd -- No principal in keytab...

On 9/21/06, Fernandez, Nestor <nestor_fernandez at hp.com> wrote:
>
>
> Kevin,
> We met at the bakeathon last week. While at the NFSv4 bakeathon, we
> ran into a problem w/ our HP-UX client and a Linux server.  I'm trying
> to set up a LInux box as an NFSv4 server over here and am running into
> problems.  I have a kerberos server already running.  Searching Google
> showed others have run into the problem so I was hoping I could get
some help.
>
> I have installed RH EL, my kernel is vmlinuz-2.6.9-11.EL.  Whey I try
> running
>
> rpc.svcgssd -f -vvv
>
> I get:
>
> WARNING: unable to locate function krb5_gss_internal_release_oid in
> krb5 mechanism library: there will be problems if multiple mechanisms
are used!
> ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure -
> No principal in keytab matches desired name unable to obtain root
> (machine) credentials do you have a keytab entry for
> nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
> [root at nf73415a ~]# rpc.svcgssd -f -vvv
> WARNING: unable to locate function krb5_gss_internal_release_oid in
> krb5 mechanism library: there will be problems if multiple mechanisms
are used!
> ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure -
> No principal in keytab matches desired name unable to obtain root
> (machine) credentials do you have a keytab entry for
> nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
>
> A message from Bruce says that the Warning can be ignored however the
> ERROR is a bit more sever.  I think I have things (mostly :) ) set up
correctly.
> If I do a klist -k, I see my nfs ticket:
>
> KVNO Principal
> ----
>
------------------------------------------------------------------------
--
>    1 nfs/nf73415a.americas.hpqcorp.net at HPNFS043.CUP.HP.COM
>    1 root/nf73415a.americas.hpqcorp.net at HPNFS043.CUP.HP.COM
>
> The one wrinkle here is that the kdc machine in the cup.hp.com domain
> whereas my NFSv4 server (and client) are in americas.hpqcorp.net
> domain.  I modified the kdc.realm file on the kdc machine to allow
both domains.

Hi Nestor,

Just FYI, you're runing ancient code.  Newer versions will print the
name of the principal that it is looking to find in the keytab.  But
what you have should work.

The /etc/krb5.conf file on the nfs server machine needs to know the
mapping of its hostname to the correct realm.  So it should have a
mapping like the following:

[domain_realm]
  .americas.hpqcorp.net = HPNFS043.CUP.HP.COM

If adding that doesn't work please send me your krb5.conf file (on the
nfs server machine) and what it (and DNS) thinks its hostname is.
(Note that the Kerberos code expects that a reverse lookup returns the
"correct" hostname.)

K.C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux-nfs.org/pipermail/nfsv4/attachments/20060921/e0238d1f/attachment.htm