Hi,
I reinstalled a NFS fileserver with a failed root filesystem.
I deleted its nfs principal on the KDC, created a new one and added
this one to a keytab file.
When I start rpc.svcgssd on the fileserver I get this error message:
[...]
entering poll
leaving poll
handling null request
WARNING: gss_accept_sec_context failed
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more
information) - Wrong principal in request
sending null reply
finished handling null request
[...]
I tried to supply the principal as an argument:
root@fileserver:~# -p "nfs/fileserver.sub.mydomain....@sub.mydomain.tld"
The message changes, but it didn't work either:
[...]
entering poll
leaving poll
handling null request
WARNING: gss_accept_sec_context failed
ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more
information) - Key version number for principal in key table is
incorrect
sending null reply
finished handling null request
[...]
fileserver runs Debian Jessie (8.2)
The following versions are installed:
root@fileserver:~# dpkg -l | grep krb5
ii krb5-config 2.3 all
Configuration files for Kerberos Version 5
ii krb5-user 1.12.1+dfsg-19+deb8u1 amd64
Basic programs to authenticate using MIT Kerberos
ii libgssapi-krb5-2:amd64 1.12.1+dfsg-19+deb8u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 1.6~rc2+dfsg-9 amd64
Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.12.1+dfsg-19+deb8u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.12.1+dfsg-19+deb8u1 amd64
MIT Kerberos runtime libraries - Support library
ii sssd-krb5 1.11.7-3 amd64
System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.11.7-3 amd64
System Security Services Daemon -- Kerberos helpers
root@fileserver:~# hostname -f
fileserver.sub.mydomain.tld
root@fileserver:~# klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/fileserver.sub.mydomain....@sub.mydomain.tld (des-cbc-crc)
2 host/fileserver.sub.mydomain....@sub.mydomain.tld (des3-cbc-sha1)
2 nfs/fileserver.sub.mydomain....@sub.mydomain.tld (des-cbc-crc)
2 nfs/fileserver.sub.mydomain....@sub.mydomain.tld (des3-cbc-sha1)
root@fileserver:~# kinit -k -p nfs/fileserver.sub.mydomain.tld
root@fileserver:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/fileserver.sub.mydomain....@sub.mydomain.tld
Valid starting Expires Service principal
12/22/2015 08:52:16 12/23/2015 08:52:17
krbtgt/sub.mydomain....@sub.mydomain.tld
renew until 12/29/2015 08:52:17
root@fileserver:~# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SUB.MYDOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
[realms]
SUB.MYDOMAIN.TLD = {
kdc = kdc.sub.mydomain.tld
admin_server = kdc.sub.mydomain.tld
}
[domain_realm]
sub.mydomain.tld = SUB.MYDOMAIN.TLD
.sub.mydomain.tld = SUB.MYDOMAIN.TLD
kdc:~# kadmin.local -q "getprinc
nfs/fileserver.sub.mydomain....@sub.mydomain.tld"
Authenticating as principal root/ad...@sub.mydomain.tld with password.
Principal: nfs/fileserver.sub.mydomain....@sub.mydomain.tld
Expiration date: [never]
Last password change: Mon Dec 21 21:28:01 CET 2015
Password expiration date: [none]
Maximum ticket life: 31 days 00:00:00
Maximum renewable life: 62 days 00:00:00
Last modified: Mon Dec 21 21:28:01 CET 2015 (root/ad...@sub.mydomain.tld)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
MKey: vno 1
Attributes:
Policy: [none]
This is how I created the keytab:
kdc:~# kadmin.local -q "add_principal -requires_preauth -randkey
host/fileserver.sub.mydomain....@sub.mydomain.tld"
Authenticating as principal root/ad...@sub.mydomain.tld with password.
WARNING: no policy specified for
host/fileserver.sub.mydomain....@sub.mydomain.tld; defaulting to no
policy
Principal "host/fileserver.sub.mydomain....@sub.mydomain.tld" created.
kdc:~# kadmin.local -q "add_principal -requires_preauth -randkey
nfs/fileserver.sub.mydomain....@sub.mydomain.tld"
Authenticating as principal root/ad...@sub.mydomain.tld with password.
WARNING: no policy specified for
nfs/fileserver.sub.mydomain....@sub.mydomain.tld; defaulting to no
policy
Principal "nfs/fileserver.sub.mydomain....@sub.mydomain.tld" created.
kdc:~# kadmin.local -q "ktadd -k /root/fileserver.keytab
host/fileserver.sub.mydomain....@sub.mydomain.tld"
Authenticating as principal root/ad...@sub.mydomain.tld with password.
Entry for principal host/fileserver.sub.mydomain....@sub.mydomain.tld
with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/root/fileserver.keytab.
Entry for principal host/fileserver.sub.mydomain....@sub.mydomain.tld
with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added
to keytab WRFILE:/root/fileserver.keytab.
kdc:~# kadmin.local -q "ktadd -k /root/fileserver.keytab
nfs/fileserver.sub.mydomain....@sub.mydomain.tld"
Authenticating as principal root/ad...@sub.mydomain.tld with password.
Entry for principal nfs/fileserver.sub.mydomain....@sub.mydomain.tld
with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/root/fileserver.keytab.
Entry for principal nfs/fileserver.sub.mydomain....@sub.mydomain.tld
with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added
to keytab WRFILE:/root/fileserver.keytab.
I ran tcpdump, but there is no communication to the kdc when rpv.svcgssd starts.
Any idea what's wrong?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
