Re: Linux client kerberos problem with attempted nfsv4 connection...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Linux client kerberos problem with attempted nfsv4 connection...

_-_ Daniel _-_-3
Hi,

 > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
 > requested realm while getting initial ticket for principal
 > 'nfs/[hidden email]' from keytab 'FILE:/etc/krb5.keytab'

The above error could be a key to the problem.Can you please post the
krb5.conf? Also verify that the KDC is being resolved correctly to full
qualified domain name correctly.

            = Ram Marti


Jeffrey C Albro wrote:

> I'm trying to create a krb5 authenticated nfsv4 connection from a Linux
> Fedora core 3 client to a NetApp filer server.
>
> The trick is, the NetApp is running kerbors connected to a Windows AD
> KDC...
>
> I've created a keytab for the client with a principal of:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    4 nfs/[hidden email]
>
>
> On the client a mount attempt gives
>
> client:~# mount -tnfs4 -o sec=krb5 server.bu.edu:/vol/unix_share
> /mnt/unix_share
> mount: block device server.bu.edu:/vol/unix_share is write-protected,
> mounting read-only
> mount: cannot mount block device server.bu.edu:/vol/unix_share read-only
>
> Mounting without the -o sec=krb5 works fine.
>
> Heres where I need help...  I get the following suspicous messages in
> /var/log/messages:
>
> May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
> requested realm while getting initial ticket for principal
> 'nfs/[hidden email]' from keytab 'FILE:/etc/krb5.keytab'
>
> and
>
> May 20 11:04:43 client rpc.gssd[6442]: WARNING: Failed to obtain
> machine credentials for connection to server server.bu.edu
>
> The first one is wierd as I have krb5.conf set up, have joined the domain
> with samba, and can kinit an AD account just fine.
>
> I've googled these errors with no luck.  I'm also working with nfsv4 and
> netapp people on it, but I thought I would give this list a try as well.
>
> Anyone have any ideas?
>
> Thanks!
>
> -Jeff
>
>
> -----------------------------------------------------------
> Jeffrey Albro | Systems Administrator | Boston University
>    - Department of Electrical and Computer Engineering -
> [hidden email] |  Photonics, Room 305  | 617-358-2785
> -----------------------------------------------------------
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Linux client kerberos problem with attempted nfsv4 connection...

jalbro


Here is the krb5.conf file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 36000
 default_realm = AD.BU.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]

 AD.BU.EDU = {
   kdc = adc1.bu.edu
   admin_server = ad.bu.edu
 }

 BU.EDU = {
   kdc = kerberos1.bu.edu:750
   kdc = kerberos2.bu.edu:750
   kdc = kerberos3.bu.edu:750
   admin_server = kerberos1.bu.edu
   default_domain = bu.edu
 }

 bu.edu = {
  kdc = kerberos1.bu.edu
  kdc = kerberos2.bu.edu
  kdc = kerberos3.bu.edu
  admin_server = kerberos1.bu.edu
 }

[domain_realm]
 .bu.edu = bu.edu
 bu.edu = bu.edu
 server.bu.edu = AD.BU.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   ignore_afs = true
   minimum_uid = 3000
 }

###############################

When I comment out these lines:

#dns_lookup_realm = false
#dns_lookup_kdc = false

the messages change to:

May 23 16:21:58 client rpc.gssd[6442]: Using keytab file
'/etc/krb5.keytab'
May 23 16:21:58 client rpc.gssd[6442]: WARNING: Client not found in
Kerberos database while getting initial ticket for principal
'nfs/[hidden email]' from keytab 'FILE:/etc/krb5.keytab'
May 23 16:21:58 client rpc.gssd[6442]: ERROR: No usable machine
credentials obtained
May 23 16:21:58 client rpc.gssd[6442]: WARNING: Failed to obtain machine
credentials for connection to server server.bu.edu

Sooo....  It seems I have something screwed up with the keytab and realm.

 -Jeff


On Fri, 20 May 2005, Lord of the Union wrote:

> Hi,
>
>  > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
>  > requested realm while getting initial ticket for principal
>  > 'nfs/[hidden email]' from keytab 'FILE:/etc/krb5.keytab'
>
> The above error could be a key to the problem.Can you please post the
> krb5.conf? Also verify that the KDC is being resolved correctly to full
> qualified domain name correctly.
>
>             = Ram Marti
>
>
> Jeffrey C Albro wrote:
> > I'm trying to create a krb5 authenticated nfsv4 connection from a Linux
> > Fedora core 3 client to a NetApp filer server.
> >
> > The trick is, the NetApp is running kerbors connected to a Windows AD
> > KDC...
> >
> > I've created a keytab for the client with a principal of:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> >    4 nfs/[hidden email]
> >
> >
> > On the client a mount attempt gives
> >
> > client:~# mount -tnfs4 -o sec=krb5 server.bu.edu:/vol/unix_share
> > /mnt/unix_share
> > mount: block device server.bu.edu:/vol/unix_share is write-protected,
> > mounting read-only
> > mount: cannot mount block device server.bu.edu:/vol/unix_share read-only
> >
> > Mounting without the -o sec=krb5 works fine.
> >
> > Heres where I need help...  I get the following suspicous messages in
> > /var/log/messages:
> >
> > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Cannot find KDC for
> > requested realm while getting initial ticket for principal
> > 'nfs/[hidden email]' from keytab 'FILE:/etc/krb5.keytab'
> >
> > and
> >
> > May 20 11:04:43 client rpc.gssd[6442]: WARNING: Failed to obtain
> > machine credentials for connection to server server.bu.edu
> >
> > The first one is wierd as I have krb5.conf set up, have joined the domain
> > with samba, and can kinit an AD account just fine.
> >
> > I've googled these errors with no luck.  I'm also working with nfsv4 and
> > netapp people on it, but I thought I would give this list a try as well.
> >
> > Anyone have any ideas?
> >
> > Thanks!
> >
> > -Jeff
> >
> >
> > -----------------------------------------------------------
> > Jeffrey Albro | Systems Administrator | Boston University
> >    - Department of Electrical and Computer Engineering -
> > [hidden email] |  Photonics, Room 305  | 617-358-2785
> > -----------------------------------------------------------
> >
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos