gssd/kerb5 error, maybe keytab issue

Kevin Coffman kwc at citi.umich.edu
Mon May 21 09:40:14 EDT 2007 

On 5/21/07, Markus Bölter <Markus.Boelter at micronas.com> wrote:
> Hello!
>
> --- snip ---
> [root at dolly ~]# ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l -e
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>     1    2                   dolly-nfs at MICRONAS.COM (ArcFour with
> HMAC/md5)
>     2    2      nfs/dolly.micronas.com at MICRONAS.COM (ArcFour with
> HMAC/md5)
>     3    3      nfs/dolly.micronas.com at MICRONAS.COM (ArcFour with
> HMAC/md5)
>     4    3                   dolly-nfs at MICRONAS.COM (ArcFour with
> HMAC/md5)
>     5    3      nfs/dolly.micronas.com at MICRONAS.COM (DES cbc mode
> with CRC-32)
>     6    3                   dolly-nfs at MICRONAS.COM (DES cbc mode
> with CRC-32)
>     7    3      nfs/dolly.micronas.com at MICRONAS.COM (DES cbc mode
> with RSA-MD5)
>     8    3                   dolly-nfs at MICRONAS.COM (DES cbc mode
> with RSA-MD5)
> --- snip ---
>
>
> --- snip again ---
> [root at dolly ~]# mount -t nfs4 -o sec=krb5 whiskas:/export/nfs4 /mnt
>
> May 21 10:23:11 dolly rpc.gssd[7572]: creating tcp client for server
> whiskas
> May 21 10:23:12 dolly rpc.gssd[7572]: rpcsec_gss:
> gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown
> code krb5 7
> --- snip ---
>
> When I export the keytab file on the domain controller itself and
> copy it to the linux client, things are working smoothly. Things look
> wired to me in this line:
>
> May 21 10:23:12 dolly rpc.gssd[7572]: rpcsec_gss:
> gss_init_sec_context: (major) Miscellaneous failure - (minor) Unknown
> code krb5 7
>
> Any pointers into the right direction would be very nice!
>
> Thanks in advance!
>    Markus

Hi,
I think I see two problems.

First, the error "krb5 7" is "Server not found in Kerberos database".
Which indicates that the KDC does not know about the principal you are
trying to authenticate to.  If your client is trying to authenticate
to "nfs/whiskas at MICRONAS.COM" rather than
"nfs/whiskas.micronas.com at MICRONAS.COM", then you need to fix DNS so
that the client gets the correct full dns name.  If you never created
the server's principal with ktpass, you need to do that (see below
before doing that).

Second, your client keytab has the encryption type "ArcFour with
HMAC/md5", you need to create it with only the des-cbc-crc enctype.
You might find the following helpful:
http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for.html

HTH,
K.C.

More information about the NFSv4 mailing list