problem mounting using NFSv4 when using -o sec=krb5 option

problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi , 
    I have exported filesystems to client but
    when client mounts using
    mount -t nfs4 -o sec=krb5  vcslinux1:/ /share   
    it gets  error :
-------------
     kernel: RPC: Couldn't create auth handle (flavor 
     390003)
     kernel: NFS: cannot create RPC client.
     rpc.idmapd: open
     (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
--------------

     nfs sevver is runnnig on vcslinux1 system and 
     client on vcslinux5
     
    Ouput of klist -k /etc/krb5.keytab on server

3
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
2 root/admin@VXINDIA.VERITAS.COM
2
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
   3
ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM


All nfs daemons are running. rpc.svcgssd and
rpc.idmapd is also runnnig.

On client side rpc.gssd is runnnig with -m option.


thanks,
 --kiran




		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

Is your server's kernel built with CONFIG_RPCSEC_GSS_KRB5?
If it is built as a module, is the module loaded?


> Hi , 
>     I have exported filesystems to client but
>     when client mounts using
>     mount -t nfs4 -o sec=krb5  vcslinux1:/ /share   
>     it gets  error :
> -------------
>      kernel: RPC: Couldn't create auth handle (flavor 
>      390003)
>      kernel: NFS: cannot create RPC client.
>      rpc.idmapd: open
>      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> --------------
> 
>      nfs sevver is runnnig on vcslinux1 system and 
>      client on vcslinux5
>      
>     Ouput of klist -k /etc/krb5.keytab on server
> 
> 3
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 2 root/admin@VXINDIA.VERITAS.COM
> 2
> root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
>    3
> ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> 
> All nfs daemons are running. rpc.svcgssd and
> rpc.idmapd is also runnnig.
> 
> On client side rpc.gssd is runnnig with -m option.
> 
> 
> thanks,
>  --kiran
> 
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/ 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi , 
    Yes , module rpcsec_gss_krb5 is loaded.
    RHEL GA is installed on my machines
thanks,
 --kiran
--- Kevin Coffman <kwc@citi.umich.edu> wrote:
> Is your server's kernel built with
> CONFIG_RPCSEC_GSS_KRB5?
> If it is built as a module, is the module loaded?
> 
> 
> > Hi , 
> >     I have exported filesystems to client but
> >     when client mounts using
> >     mount -t nfs4 -o sec=krb5  vcslinux1:/ /share 
>  
> >     it gets  error :
> > -------------
> >      kernel: RPC: Couldn't create auth handle
> (flavor 
> >      390003)
> >      kernel: NFS: cannot create RPC client.
> >      rpc.idmapd: open
> >      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> > --------------
> > 
> >      nfs sevver is runnnig on vcslinux1 system and
> 
> >      client on vcslinux5
> >      
> >     Ouput of klist -k /etc/krb5.keytab on server
> > 
> > 3
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 2 root/admin@VXINDIA.VERITAS.COM
> > 2
> >
>
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> >    3
> >
>
ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > 
> > All nfs daemons are running. rpc.svcgssd and
> > rpc.idmapd is also runnnig.
> > 
> > On client side rpc.gssd is runnnig with -m option.
> > 
> > 
> > thanks,
> >  --kiran
> > 
> > 
> > 
> > 
> > 		
> > __________________________________ 
> > Do you Yahoo!? 
> > Yahoo! Small Business - Try our new resources
> site!
> > http://smallbusiness.yahoo.com/resources/ 
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> 
> 
> 


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi , 
    Yes , module rpcsec_gss_krb5 is loaded.
    RHEL GA is installed on my machines
thanks,
 --kiran
--- Kevin Coffman <kwc@citi.umich.edu> wrote:
> Is your server's kernel built with
> CONFIG_RPCSEC_GSS_KRB5?
> If it is built as a module, is the module loaded?
> 
> 
> > Hi , 
> >     I have exported filesystems to client but
> >     when client mounts using
> >     mount -t nfs4 -o sec=krb5  vcslinux1:/ /share 
>  
> >     it gets  error :
> > -------------
> >      kernel: RPC: Couldn't create auth handle
> (flavor 
> >      390003)
> >      kernel: NFS: cannot create RPC client.
> >      rpc.idmapd: open
> >      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> > --------------
> > 
> >      nfs sevver is runnnig on vcslinux1 system and
> 
> >      client on vcslinux5
> >      
> >     Ouput of klist -k /etc/krb5.keytab on server
> > 
> > 3
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 2 root/admin@VXINDIA.VERITAS.COM
> > 2
> >
>
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> >    3
> >
>
ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > 
> > All nfs daemons are running. rpc.svcgssd and
> > rpc.idmapd is also runnnig.
> > 
> > On client side rpc.gssd is runnnig with -m option.
> > 
> > 
> > thanks,
> >  --kiran
> > 
> > 
> > 
> > 
> > 		
> > __________________________________ 
> > Do you Yahoo!? 
> > Yahoo! Small Business - Try our new resources
> site!
> > http://smallbusiness.yahoo.com/resources/ 
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> 
> 
> 


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

I rebooted the machine due to some problem.
That problem has vanished but i get following message

Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
Failed to obtain machine credentials for connection to
server vcslinux1.vxindia.veritas.com
Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
failed reading uid from krb5 upcall pipe: Success
Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: WARNING: Key
table entry not found while getting initial ticket for
principal
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
from keytab 'FILE:/etc/krb5.keytab'
Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: ERROR: No
usable machine credentials obtained

thanks,
 --kiran


--- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> Hi , 
>     Yes , module rpcsec_gss_krb5 is loaded.
>     RHEL GA is installed on my machines
> thanks,
>  --kiran
> --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > Is your server's kernel built with
> > CONFIG_RPCSEC_GSS_KRB5?
> > If it is built as a module, is the module loaded?
> > 
> > 
> > > Hi , 
> > >     I have exported filesystems to client but
> > >     when client mounts using
> > >     mount -t nfs4 -o sec=krb5  vcslinux1:/
> /share 
> >  
> > >     it gets  error :
> > > -------------
> > >      kernel: RPC: Couldn't create auth handle
> > (flavor 
> > >      390003)
> > >      kernel: NFS: cannot create RPC client.
> > >      rpc.idmapd: open
> > >      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> > > --------------
> > > 
> > >      nfs sevver is runnnig on vcslinux1 system
> and
> > 
> > >      client on vcslinux5
> > >      
> > >     Ouput of klist -k /etc/krb5.keytab on server
> > > 
> > > 3
> > >
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 2 root/admin@VXINDIA.VERITAS.COM
> > > 2
> > >
> >
>
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > >    3
> > >
> >
>
ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 
> > > 
> > > All nfs daemons are running. rpc.svcgssd and
> > > rpc.idmapd is also runnnig.
> > > 
> > > On client side rpc.gssd is runnnig with -m
> option.
> > > 
> > > 
> > > thanks,
> > >  --kiran
> > > 
> > > 
> > > 
> > > 
> > > 		
> > > __________________________________ 
> > > Do you Yahoo!? 
> > > Yahoo! Small Business - Try our new resources
> > site!
> > > http://smallbusiness.yahoo.com/resources/ 
> > > 
> > > 
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > 
> > 
> > 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/ 
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Trond Myklebust]

on den 16.03.2005 Klokka 06:47 (-0800) skreiv mehta kiran:
> I rebooted the machine due to some problem.
> That problem has vanished but i get following message
> 
> Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
> Failed to obtain machine credentials for connection to
> server vcslinux1.vxindia.veritas.com
> Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
> failed reading uid from krb5 upcall pipe: Success
> Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: WARNING: Key
> table entry not found while getting initial ticket for
> principal
> 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> from keytab 'FILE:/etc/krb5.keytab'
> Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: ERROR: No
> usable machine credentials obtained

So what is the name of your client? It looks like your keytab file has a
credential for nfs/vcslinux1, but the syslog entries above appear to
refer to vcslinux5.

If the client name is vcslinux5, then the credential in the keytab
should be nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM


Cheers,
  Trond


> --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > Hi , 
> >     Yes , module rpcsec_gss_krb5 is loaded.
> >     RHEL GA is installed on my machines
> > thanks,
> >  --kiran
> > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > Is your server's kernel built with
> > > CONFIG_RPCSEC_GSS_KRB5?
> > > If it is built as a module, is the module loaded?
> > > 
> > > 
> > > > Hi , 
> > > >     I have exported filesystems to client but
> > > >     when client mounts using
> > > >     mount -t nfs4 -o sec=krb5  vcslinux1:/
> > /share 
> > >  
> > > >     it gets  error :
> > > > -------------
> > > >      kernel: RPC: Couldn't create auth handle
> > > (flavor 
> > > >      390003)
> > > >      kernel: NFS: cannot create RPC client.
> > > >      rpc.idmapd: open
> > > >      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> > > > --------------
> > > > 
> > > >      nfs sevver is runnnig on vcslinux1 system
> > and
> > > 
> > > >      client on vcslinux5
> > > >      
> > > >     Ouput of klist -k /etc/krb5.keytab on server
> > > > 
> > > > 3
> > > >
> > >
> >
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 2 root/admin@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
> root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > >    3
> > > >
> > >
> >
> ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > 
> > > > All nfs daemons are running. rpc.svcgssd and
> > > > rpc.idmapd is also runnnig.
> > > > 
> > > > On client side rpc.gssd is runnnig with -m
> > option.
> > > > 
> > > > 
> > > > thanks,
> > > >  --kiran
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 		
> > > > __________________________________ 
> > > > Do you Yahoo!? 
> > > > Yahoo! Small Business - Try our new resources
> > > site!
> > > > http://smallbusiness.yahoo.com/resources/ 
> > > > 
> > > > 
> > > >
> > >
> >
> -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > > Discover which products truly live up to the
> > hype.
> > > Start reading now.
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > NFS maillist  -  NFS@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > 
> > > 
> > > 
> > 
> > 
> > 		
> > __________________________________ 
> > Do you Yahoo!? 
> > Yahoo! Small Business - Try our new resources site!
> > http://smallbusiness.yahoo.com/resources/ 
> > 
> > 
> >
> -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs
-- 
Trond Myklebust <trond.myklebust@fys.uio.no>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi , 
  Client machine is vcslinux5 . I added entry for
  nfs/vcslinux5.... to /etc/krb5.keytab on server.

  I copied same keytab file to client side.Is this ok?

  output of klist -k /etc/krb5.keytab on server
 3 nfs/vcslinux5.veritas.com@VXINDIA.VERITAS.COM
   3
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
   2 root/admin@VXINDIA.VERITAS.COM
   2
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
   3
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
   2
ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
   3
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM



Error in log file on mount 
Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]: WARNING:
failed reading uid from krb5 upcall pipe: Success
Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING: Key
table entry not found while getting initial ticket for
principal
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
from keytab 'FILE:/etc/krb5.keytab'
Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR: No
usable machine credentials obtained
Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING:
Failed to obtain machine credentials for connection to
server vcslinux1.vxindia.veritas.com
Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: WARNING:
Failed to create krb5 context for user with uid 0 with
any credentials cache for server
vcslinux1.vxindia.veritas.com
Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed to
write error downcall!

thanks,
 --kiran
  
--- Trond Myklebust <trond.myklebust@fys.uio.no>
wrote:

> on den 16.03.2005 Klokka 06:47 (-0800) skreiv mehta
> kiran:
> > I rebooted the machine due to some problem.
> > That problem has vanished but i get following
> message
> > 
> > Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
> > Failed to obtain machine credentials for
> connection to
> > server vcslinux1.vxindia.veritas.com
> > Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
> > failed reading uid from krb5 upcall pipe: Success
> > Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: WARNING:
> Key
> > table entry not found while getting initial ticket
> for
> > principal
> >
>
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > from keytab 'FILE:/etc/krb5.keytab'
> > Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: ERROR:
> No
> > usable machine credentials obtained
> 
> So what is the name of your client? It looks like
> your keytab file has a
> credential for nfs/vcslinux1, but the syslog entries
> above appear to
> refer to vcslinux5.
> 
> If the client name is vcslinux5, then the credential
> in the keytab
> should be
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> 
> Cheers,
>   Trond
> 
> 
> > --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > > Hi , 
> > >     Yes , module rpcsec_gss_krb5 is loaded.
> > >     RHEL GA is installed on my machines
> > > thanks,
> > >  --kiran
> > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > Is your server's kernel built with
> > > > CONFIG_RPCSEC_GSS_KRB5?
> > > > If it is built as a module, is the module
> loaded?
> > > > 
> > > > 
> > > > > Hi , 
> > > > >     I have exported filesystems to client
> but
> > > > >     when client mounts using
> > > > >     mount -t nfs4 -o sec=krb5  vcslinux1:/
> > > /share 
> > > >  
> > > > >     it gets  error :
> > > > > -------------
> > > > >      kernel: RPC: Couldn't create auth
> handle
> > > > (flavor 
> > > > >      390003)
> > > > >      kernel: NFS: cannot create RPC client.
> > > > >      rpc.idmapd: open
> > > > >      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> > > > > --------------
> > > > > 
> > > > >      nfs sevver is runnnig on vcslinux1
> system
> > > and
> > > > 
> > > > >      client on vcslinux5
> > > > >      
> > > > >     Ouput of klist -k /etc/krb5.keytab on
> server
> > > > > 
> > > > > 3
> > > > >
> > > >
> > >
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > 2 root/admin@VXINDIA.VERITAS.COM
> > > > > 2
> > > > >
> > > >
> > >
> >
>
root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > >    3
> > > > >
> > > >
> > >
> >
>
ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > 
> > > > > 
> > > > > All nfs daemons are running. rpc.svcgssd and
> > > > > rpc.idmapd is also runnnig.
> > > > > 
> > > > > On client side rpc.gssd is runnnig with -m
> > > option.
> > > > > 
> > > > > 
> > > > > thanks,
> > > > >  --kiran
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 		
> > > > > __________________________________ 
> > > > > Do you Yahoo!? 
> > > > > Yahoo! Small Business - Try our new
> resources
> > > > site!
> > > > > http://smallbusiness.yahoo.com/resources/ 
> > > > > 
> > > > > 
> > > > >
> > > >
> > >
> >
>
-------------------------------------------------------
> > > > > SF email is sponsored by - The IT Product
> Guide
> > > > > Read honest & candid reviews on hundreds of
> IT
> > > > Products from real users.
> > > > > Discover which products truly live up to the
> > > hype.
> > > > Start reading now.
> > > > >
> > > >
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > >
> _______________________________________________
> > > > > NFS maillist  -  NFS@lists.sourceforge.net
> > > > >
> https://lists.sourceforge.net/lists/listinfo/nfs
> > > > 
> > > > 
> > > > 
> > > 
> > > 
> > > 		
> > > __________________________________ 
> > > Do you Yahoo!? 
> > > Yahoo! Small Business - Try our new resources
> site!
> > > http://smallbusiness.yahoo.com/resources/ 
> > > 
> > > 
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> -- 
> Trond Myklebust <trond.myklebust@fys.uio.no>
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

A keytab hold's a machine's keys.  Not keys to talk to other servers.  
(Those are obtained from the KDC.)

The client machine, vcslinux5, should have a keytab entry for:
	nfs/vcslinux5.veritas.com@VXINDIA.VERITAS.COM

The server machine, vcslinux1, should have a keytab entry for:
	nfs/vcslinux1.veritas.com@VXINDIA.VERITAS.COM

The key version number of the key in the keytab (the number listed in 
the output of klist -k) must match the key version number of the entry 
in the Kerberos database.

 
> Hi , 
>   Client machine is vcslinux5 . I added entry for
>   nfs/vcslinux5.... to /etc/krb5.keytab on server.
> 
>   I copied same keytab file to client side.Is this ok?
> 
>   output of klist -k /etc/krb5.keytab on server
>  3 nfs/vcslinux5.veritas.com@VXINDIA.VERITAS.COM
>    3
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
>    2 root/admin@VXINDIA.VERITAS.COM
>    2
> root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
>    3
> root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
>    2
> ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
>    3
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> 
> 
> Error in log file on mount 
> Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]: WARNING:
> failed reading uid from krb5 upcall pipe: Success
> Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING: Key
> table entry not found while getting initial ticket for
> principal
> 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> from keytab 'FILE:/etc/krb5.keytab'
> Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR: No
> usable machine credentials obtained
> Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING:
> Failed to obtain machine credentials for connection to
> server vcslinux1.vxindia.veritas.com
> Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: WARNING:
> Failed to create krb5 context for user with uid 0 with
> any credentials cache for server
> vcslinux1.vxindia.veritas.com
> Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed to
> write error downcall!
> 
> thanks,
>  --kiran
>   
> --- Trond Myklebust <trond.myklebust@fys.uio.no>
> wrote:
> 
> > on den 16.03.2005 Klokka 06:47 (-0800) skreiv mehta
> > kiran:
> > > I rebooted the machine due to some problem.
> > > That problem has vanished but i get following
> > message
> > > 
> > > Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
> > > Failed to obtain machine credentials for
> > connection to
> > > server vcslinux1.vxindia.veritas.com
> > > Mar 16 14:04:02 vcslinux5 rpc.gssd[2760]: WARNING:
> > > failed reading uid from krb5 upcall pipe: Success
> > > Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: WARNING:
> > Key
> > > table entry not found while getting initial ticket
> > for
> > > principal
> > >
> >
> 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > Mar 16 14:04:02 vcslinux5 rpc.gssd[4405]: ERROR:
> > No
> > > usable machine credentials obtained
> > 
> > So what is the name of your client? It looks like
> > your keytab file has a
> > credential for nfs/vcslinux1, but the syslog entries
> > above appear to
> > refer to vcslinux5.
> > 
> > If the client name is vcslinux5, then the credential
> > in the keytab
> > should be
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > 
> > Cheers,
> >   Trond
> > 
> > 
> > > --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > > > Hi , 
> > > >     Yes , module rpcsec_gss_krb5 is loaded.
> > > >     RHEL GA is installed on my machines
> > > > thanks,
> > > >  --kiran
> > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > Is your server's kernel built with
> > > > > CONFIG_RPCSEC_GSS_KRB5?
> > > > > If it is built as a module, is the module
> > loaded?
> > > > > 
> > > > > 
> > > > > > Hi , 
> > > > > >     I have exported filesystems to client
> > but
> > > > > >     when client mounts using
> > > > > >     mount -t nfs4 -o sec=krb5  vcslinux1:/
> > > > /share 
> > > > >  
> > > > > >     it gets  error :
> > > > > > -------------
> > > > > >      kernel: RPC: Couldn't create auth
> > handle
> > > > > (flavor 
> > > > > >      390003)
> > > > > >      kernel: NFS: cannot create RPC client.
> > > > > >      rpc.idmapd: open
> > > > > >      (/var/lib/nfs/rpc_pipefs/nfs/clnt23)
> > > > > > --------------
> > > > > > 
> > > > > >      nfs sevver is runnnig on vcslinux1
> > system
> > > > and
> > > > > 
> > > > > >      client on vcslinux5
> > > > > >      
> > > > > >     Ouput of klist -k /etc/krb5.keytab on
> > server
> > > > > > 
> > > > > > 3
> > > > > >
> > > > >
> > > >
> > >
> >
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > > 2 root/admin@VXINDIA.VERITAS.COM
> > > > > > 2
> > > > > >
> > > > >
> > > >
> > >
> >
> root/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > >    3
> > > > > >
> > > > >
> > > >
> > >
> >
> ftp/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > > 
> > > > > > 
> > > > > > All nfs daemons are running. rpc.svcgssd and
> > > > > > rpc.idmapd is also runnnig.
> > > > > > 
> > > > > > On client side rpc.gssd is runnnig with -m
> > > > option.
> > > > > > 
> > > > > > 
> > > > > > thanks,
> > > > > >  --kiran
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 		
> > > > > > __________________________________ 
> > > > > > Do you Yahoo!? 
> > > > > > Yahoo! Small Business - Try our new
> > resources
> > > > > site!
> > > > > > http://smallbusiness.yahoo.com/resources/ 
> > > > > > 
> > > > > > 
> > > > > >
> > > > >
> > > >
> > >
> >
> -------------------------------------------------------
> > > > > > SF email is sponsored by - The IT Product
> > Guide
> > > > > > Read honest & candid reviews on hundreds of
> > IT
> > > > > Products from real users.
> > > > > > Discover which products truly live up to the
> > > > hype.
> > > > > Start reading now.
> > > > > >
> > > > >
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > > >
> > _______________________________________________
> > > > > > NFS maillist  -  NFS@lists.sourceforge.net
> > > > > >
> > https://lists.sourceforge.net/lists/listinfo/nfs
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > 
> > > > 		
> > > > __________________________________ 
> > > > Do you Yahoo!? 
> > > > Yahoo! Small Business - Try our new resources
> > site!
> > > > http://smallbusiness.yahoo.com/resources/ 
> > > > 
> > > > 
> > > >
> > >
> >
> -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT
> > > > Products from real users.
> > > > Discover which products truly live up to the
> > hype.
> > > > Start reading now.
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > NFS maillist  -  NFS@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > > 
> > > 
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > > http://mail.yahoo.com 
> > > 
> > > 
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > > Discover which products truly live up to the hype.
> > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > -- 
> > Trond Myklebust <trond.myklebust@fys.uio.no>
> > 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

Also, "failed reading uid from krb5 upcall" and "Failed to write error 
downcall" should not normally happen.  What versions of kernel and 
nfs-utils do you have?


> > Error in log file on mount 
> > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]: WARNING:
> > failed reading uid from krb5 upcall pipe: Success
> > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING: Key
> > table entry not found while getting initial ticket for
> > principal
> > 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > from keytab 'FILE:/etc/krb5.keytab'
> > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR: No
> > usable machine credentials obtained
> > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: WARNING:
> > Failed to obtain machine credentials for connection to
> > server vcslinux1.vxindia.veritas.com
> > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: WARNING:
> > Failed to create krb5 context for user with uid 0 with
> > any credentials cache for server
> > vcslinux1.vxindia.veritas.com
> > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed to
> > write error downcall!
> > 
> > thanks,
> >  --kiran



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi kevin , 
 I am using RHEL4 GA.
 kernel : 2.6.9-5.EL
 nfs-utils : nfs-utils-1.0.6-46
  
 As per what you told , i have added entries on both
 client and server.

*client:vcslinux6#klist -k /etc/krb5.keytab
2
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM

*server:vcslinux5#klist -k /etc/krb5.keytab

2
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM


*kdc:vcslinux1#klist -k /etc/krb5.keytab

2 root/admin@VXINDIA.VERITAS.COM
2
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
3
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
2
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM

I inserted rpcsec_gss_krb5 module on all machines.
started krb5kdc and kadmind.
started all nfs daemons  , rpc.svcgssd , rpc.idmapd on
server and exported filesystem with proper options.

started rpc.idmapd on client(vcslinux6).
But when i run #rpc.gssd -m -v -f
Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS upcall
timed out.
Mar 17 11:13:03 vcslinux6 kernel: Please check user
daemon is running!


in log file:
Using keytab file '/etc/krb5.keytab'
WARNING: Decrypt integrity check failed while getting
initial ticket for principal
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
from keytab 'FILE:/etc/krb5.keytab'
ERROR: No usable machine credentials obtained
processing client list

-------
Then i tried making kvno for vcslinux5 (on kdc) = 2
i could not.
[root@vcslinux1 ~]# kadmin
Authenticating as principal
root/admin@VXINDIA.VERITAS.COM with password.
Password for root/admin@VXINDIA.VERITAS.COM:
kadmin:  modprinc -kvno 2
nfs/vcslinux5.vxindia.veritas.com
Principal
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
modified.
kadmin:  ktadd -e des-cbc-crc:normal -k /tmp/keytab 
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
Entry for principal
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
with kvno 3, encryption type DES cbc mode with CRC-32
added to keytab WRFILE:/tmp/keytab.

Please let me know where i went wrong .

--- Kevin Coffman <kwc@citi.umich.edu> wrote:
> Also, "failed reading uid from krb5 upcall" and
> "Failed to write error 
> downcall" should not normally happen.  What versions
> of kernel and 
> nfs-utils do you have?
> 
> 
> > > Error in log file on mount 
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> WARNING:
> > > failed reading uid from krb5 upcall pipe:
> Success
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> WARNING: Key
> > > table entry not found while getting initial
> ticket for
> > > principal
> > >
>
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR:
> No
> > > usable machine credentials obtained
> > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> WARNING:
> > > Failed to obtain machine credentials for
> connection to
> > > server vcslinux1.vxindia.veritas.com
> > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> WARNING:
> > > Failed to create krb5 context for user with uid
> 0 with
> > > any credentials cache for server
> > > vcslinux1.vxindia.veritas.com
> > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed
> to
> > > write error downcall!
> > > 
> > > thanks,
> > >  --kiran
> 
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs
> 


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more. 
http://info.mail.yahoo.com/mail_250


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Suresh Jayaram]

Hi Kiran,

Try running rpc.gssd -f -vvv (really verbose and foreground) and
rpc.svcgssd -vvv -f
and see why it is failing. I has similar problems with NFSv4, before
updating all my packages (currently available in CITI website).

Possibly the path of libgssapi_krb5.so may not be proper. Check your
/etc/gssapi_mech.conf

Basically after installation of all packages, you need to create 2
principals in kdc server; one for server and one for client and
extract them appropriately.
Make sure all three machines are in Timesync and hostname of them are
resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd and rpc.nfsd in
server and rpc.idmapd and rpc.gssd in client.

HTH
Suresh


On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta kiran
<kiranmehta1981@yahoo.com> wrote:
> Hi kevin ,
> I am using RHEL4 GA.
> kernel : 2.6.9-5.EL
> nfs-utils : nfs-utils-1.0.6-46
> 
> As per what you told , i have added entries on both
> client and server.
> 
> *client:vcslinux6#klist -k /etc/krb5.keytab
> 2
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> *server:vcslinux5#klist -k /etc/krb5.keytab
> 
> 2
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> *kdc:vcslinux1#klist -k /etc/krb5.keytab
> 
> 2 root/admin@VXINDIA.VERITAS.COM
> 2
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 3
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 2
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> I inserted rpcsec_gss_krb5 module on all machines.
> started krb5kdc and kadmind.
> started all nfs daemons  , rpc.svcgssd , rpc.idmapd on
> server and exported filesystem with proper options.
> 
> started rpc.idmapd on client(vcslinux6).
> But when i run #rpc.gssd -m -v -f
> Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS upcall
> timed out.
> Mar 17 11:13:03 vcslinux6 kernel: Please check user
> daemon is running!
> 
> in log file:
> Using keytab file '/etc/krb5.keytab'
> WARNING: Decrypt integrity check failed while getting
> initial ticket for principal
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> from keytab 'FILE:/etc/krb5.keytab'
> ERROR: No usable machine credentials obtained
> processing client list
> 
> -------
> Then i tried making kvno for vcslinux5 (on kdc) = 2
> i could not.
> [root@vcslinux1 ~]# kadmin
> Authenticating as principal
> root/admin@VXINDIA.VERITAS.COM with password.
> Password for root/admin@VXINDIA.VERITAS.COM:
> kadmin:  modprinc -kvno 2
> nfs/vcslinux5.vxindia.veritas.com
> Principal
> "nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> modified.
> kadmin:  ktadd -e des-cbc-crc:normal -k /tmp/keytab
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> Entry for principal
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> with kvno 3, encryption type DES cbc mode with CRC-32
> added to keytab WRFILE:/tmp/keytab.
> 
> Please let me know where i went wrong .
> 
> --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > Also, "failed reading uid from krb5 upcall" and
> > "Failed to write error
> > downcall" should not normally happen.  What versions
> > of kernel and
> > nfs-utils do you have?
> >
> >
> > > > Error in log file on mount
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > WARNING:
> > > > failed reading uid from krb5 upcall pipe:
> > Success
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > WARNING: Key
> > > > table entry not found while getting initial
> > ticket for
> > > > principal
> > > >
> >
> 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]: ERROR:
> > No
> > > > usable machine credentials obtained
> > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > WARNING:
> > > > Failed to obtain machine credentials for
> > connection to
> > > > server vcslinux1.vxindia.veritas.com
> > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > WARNING:
> > > > Failed to create krb5 context for user with uid
> > 0 with
> > > > any credentials cache for server
> > > > vcslinux1.vxindia.veritas.com
> > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]: Failed
> > to
> > > > write error downcall!
> > > >
> > > > thanks,
> > > >  --kiran
> >
> >
> >
> >
> -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> >
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - now with 250MB free storage. Learn more.
> http://info.mail.yahoo.com/mail_250
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs
> 


-- 
"Good Luck is when preparation meets opportunity"


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi Suresh , 
     #rpc.gssd -f -vvv show the same output.
     #rpc.svcgssd -f -vvv gives 
         WARNING: unable to locate function 
         krb5_gss_internal_release_oid in krb5  
         mechanism library: there will be problems
         if multiple mechanisms are used!
         entering poll
       
     /etc/gssmech.conf file has entry 
    
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init

and this library exists in /usr/lib
All machines are in TimeSync.

thanks,
 --kiran
   
   
--- Suresh Jayaram <sureshjayaram@gmail.com> wrote:

> Hi Kiran,
> 
> Try running rpc.gssd -f -vvv (really verbose and
> foreground) and
> rpc.svcgssd -vvv -f
> and see why it is failing. I has similar problems
> with NFSv4, before
> updating all my packages (currently available in
> CITI website).
> 
> Possibly the path of libgssapi_krb5.so may not be
> proper. Check your
> /etc/gssapi_mech.conf
> 
> Basically after installation of all packages, you
> need to create 2
> principals in kdc server; one for server and one for
> client and
> extract them appropriately.
> Make sure all three machines are in Timesync and
> hostname of them are
> resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> and rpc.nfsd in
> server and rpc.idmapd and rpc.gssd in client.
> 
> HTH
> Suresh
> 
> 
> On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> kiran
> <kiranmehta1981@yahoo.com> wrote:
> > Hi kevin ,
> > I am using RHEL4 GA.
> > kernel : 2.6.9-5.EL
> > nfs-utils : nfs-utils-1.0.6-46
> > 
> > As per what you told , i have added entries on
> both
> > client and server.
> > 
> > *client:vcslinux6#klist -k /etc/krb5.keytab
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > *server:vcslinux5#klist -k /etc/krb5.keytab
> > 
> > 2
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > 
> > 2 root/admin@VXINDIA.VERITAS.COM
> > 2
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 3
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > I inserted rpcsec_gss_krb5 module on all machines.
> > started krb5kdc and kadmind.
> > started all nfs daemons  , rpc.svcgssd ,
> rpc.idmapd on
> > server and exported filesystem with proper
> options.
> > 
> > started rpc.idmapd on client(vcslinux6).
> > But when i run #rpc.gssd -m -v -f
> > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> upcall
> > timed out.
> > Mar 17 11:13:03 vcslinux6 kernel: Please check
> user
> > daemon is running!
> > 
> > in log file:
> > Using keytab file '/etc/krb5.keytab'
> > WARNING: Decrypt integrity check failed while
> getting
> > initial ticket for principal
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > from keytab 'FILE:/etc/krb5.keytab'
> > ERROR: No usable machine credentials obtained
> > processing client list
> > 
> > -------
> > Then i tried making kvno for vcslinux5 (on kdc) =
> 2
> > i could not.
> > [root@vcslinux1 ~]# kadmin
> > Authenticating as principal
> > root/admin@VXINDIA.VERITAS.COM with password.
> > Password for root/admin@VXINDIA.VERITAS.COM:
> > kadmin:  modprinc -kvno 2
> > nfs/vcslinux5.vxindia.veritas.com
> > Principal
> >
>
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > modified.
> > kadmin:  ktadd -e des-cbc-crc:normal -k
> /tmp/keytab
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > Entry for principal
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > with kvno 3, encryption type DES cbc mode with
> CRC-32
> > added to keytab WRFILE:/tmp/keytab.
> > 
> > Please let me know where i went wrong .
> > 
> > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > Also, "failed reading uid from krb5 upcall" and
> > > "Failed to write error
> > > downcall" should not normally happen.  What
> versions
> > > of kernel and
> > > nfs-utils do you have?
> > >
> > >
> > > > > Error in log file on mount
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > WARNING:
> > > > > failed reading uid from krb5 upcall pipe:
> > > Success
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING: Key
> > > > > table entry not found while getting initial
> > > ticket for
> > > > > principal
> > > > >
> > >
> >
>
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> ERROR:
> > > No
> > > > > usable machine credentials obtained
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING:
> > > > > Failed to obtain machine credentials for
> > > connection to
> > > > > server vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > WARNING:
> > > > > Failed to create krb5 context for user with
> uid
> > > 0 with
> > > > > any credentials cache for server
> > > > > vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> Failed
> > > to
> > > > > write error downcall!
> > > > >
> > > > > thanks,
> > > > >  --kiran
> > >
> > >
> > >
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > >
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - now with 250MB free storage. Learn
> more.
> > http://info.mail.yahoo.com/mail_250
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

one more thing.

On machine running kdc , 

   entry for vcslinux5 is with kvno 3
   while entry for vcslinux5 on vcslinux5 is with kvno
   2 . Is this making a difference

thanks,
 --kiran



--- Suresh Jayaram <sureshjayaram@gmail.com> wrote:

> Hi Kiran,
> 
> Try running rpc.gssd -f -vvv (really verbose and
> foreground) and
> rpc.svcgssd -vvv -f
> and see why it is failing. I has similar problems
> with NFSv4, before
> updating all my packages (currently available in
> CITI website).
> 
> Possibly the path of libgssapi_krb5.so may not be
> proper. Check your
> /etc/gssapi_mech.conf
> 
> Basically after installation of all packages, you
> need to create 2
> principals in kdc server; one for server and one for
> client and
> extract them appropriately.
> Make sure all three machines are in Timesync and
> hostname of them are
> resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> and rpc.nfsd in
> server and rpc.idmapd and rpc.gssd in client.
> 
> HTH
> Suresh
> 
> 
> On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> kiran
> <kiranmehta1981@yahoo.com> wrote:
> > Hi kevin ,
> > I am using RHEL4 GA.
> > kernel : 2.6.9-5.EL
> > nfs-utils : nfs-utils-1.0.6-46
> > 
> > As per what you told , i have added entries on
> both
> > client and server.
> > 
> > *client:vcslinux6#klist -k /etc/krb5.keytab
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > *server:vcslinux5#klist -k /etc/krb5.keytab
> > 
> > 2
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > 
> > 2 root/admin@VXINDIA.VERITAS.COM
> > 2
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 3
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > I inserted rpcsec_gss_krb5 module on all machines.
> > started krb5kdc and kadmind.
> > started all nfs daemons  , rpc.svcgssd ,
> rpc.idmapd on
> > server and exported filesystem with proper
> options.
> > 
> > started rpc.idmapd on client(vcslinux6).
> > But when i run #rpc.gssd -m -v -f
> > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> upcall
> > timed out.
> > Mar 17 11:13:03 vcslinux6 kernel: Please check
> user
> > daemon is running!
> > 
> > in log file:
> > Using keytab file '/etc/krb5.keytab'
> > WARNING: Decrypt integrity check failed while
> getting
> > initial ticket for principal
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > from keytab 'FILE:/etc/krb5.keytab'
> > ERROR: No usable machine credentials obtained
> > processing client list
> > 
> > -------
> > Then i tried making kvno for vcslinux5 (on kdc) =
> 2
> > i could not.
> > [root@vcslinux1 ~]# kadmin
> > Authenticating as principal
> > root/admin@VXINDIA.VERITAS.COM with password.
> > Password for root/admin@VXINDIA.VERITAS.COM:
> > kadmin:  modprinc -kvno 2
> > nfs/vcslinux5.vxindia.veritas.com
> > Principal
> >
>
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > modified.
> > kadmin:  ktadd -e des-cbc-crc:normal -k
> /tmp/keytab
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > Entry for principal
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > with kvno 3, encryption type DES cbc mode with
> CRC-32
> > added to keytab WRFILE:/tmp/keytab.
> > 
> > Please let me know where i went wrong .
> > 
> > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > Also, "failed reading uid from krb5 upcall" and
> > > "Failed to write error
> > > downcall" should not normally happen.  What
> versions
> > > of kernel and
> > > nfs-utils do you have?
> > >
> > >
> > > > > Error in log file on mount
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > WARNING:
> > > > > failed reading uid from krb5 upcall pipe:
> > > Success
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING: Key
> > > > > table entry not found while getting initial
> > > ticket for
> > > > > principal
> > > > >
> > >
> >
>
'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> ERROR:
> > > No
> > > > > usable machine credentials obtained
> > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > WARNING:
> > > > > Failed to obtain machine credentials for
> > > connection to
> > > > > server vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > WARNING:
> > > > > Failed to create krb5 context for user with
> uid
> > > 0 with
> > > > > any credentials cache for server
> > > > > vcslinux1.vxindia.veritas.com
> > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> Failed
> > > to
> > > > > write error downcall!
> > > > >
> > > > > thanks,
> > > > >  --kiran
> > >
> > >
> > >
> > >
> >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the
> hype.
> > > Start reading now.
> > >
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > >
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - now with 250MB free storage. Learn
> more.
> > http://info.mail.yahoo.com/mail_250
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Suresh Jayaram]

Hi Kiran,

Run rpc.gssd also in verbose mode
>>RPC: AUTH_GSS upcall timed out.
This means rpc.gssd is not running.
Check gssapi_mech.conf in client machine also.
Those Warning messages you can ignore..

Update your libgssapi and librpcsecgss packages (libgssapi-0.2 and
librpcsecgss-0.4)

HTH
Suresh


On Thu, 17 Mar 2005 04:56:53 -0800 (PST), mehta kiran
<kiranmehta1981@yahoo.com> wrote:
> one more thing.
> 
> On machine running kdc ,
> 
>   entry for vcslinux5 is with kvno 3
>   while entry for vcslinux5 on vcslinux5 is with kvno
>   2 . Is this making a difference
> 
> thanks,
> --kiran
> 
> --- Suresh Jayaram <sureshjayaram@gmail.com> wrote:
> 
> > Hi Kiran,
> >
> > Try running rpc.gssd -f -vvv (really verbose and
> > foreground) and
> > rpc.svcgssd -vvv -f
> > and see why it is failing. I has similar problems
> > with NFSv4, before
> > updating all my packages (currently available in
> > CITI website).
> >
> > Possibly the path of libgssapi_krb5.so may not be
> > proper. Check your
> > /etc/gssapi_mech.conf
> >
> > Basically after installation of all packages, you
> > need to create 2
> > principals in kdc server; one for server and one for
> > client and
> > extract them appropriately.
> > Make sure all three machines are in Timesync and
> > hostname of them are
> > resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> > and rpc.nfsd in
> > server and rpc.idmapd and rpc.gssd in client.
> >
> > HTH
> > Suresh
> >
> >
> > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > kiran
> > <kiranmehta1981@yahoo.com> wrote:
> > > Hi kevin ,
> > > I am using RHEL4 GA.
> > > kernel : 2.6.9-5.EL
> > > nfs-utils : nfs-utils-1.0.6-46
> > >
> > > As per what you told , i have added entries on
> > both
> > > client and server.
> > >
> > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > 2
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > >
> > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > >
> > > 2
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > >
> > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > >
> > > 2 root/admin@VXINDIA.VERITAS.COM
> > > 2
> > >
> >
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 3
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 2
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > >
> > > I inserted rpcsec_gss_krb5 module on all machines.
> > > started krb5kdc and kadmind.
> > > started all nfs daemons  , rpc.svcgssd ,
> > rpc.idmapd on
> > > server and exported filesystem with proper
> > options.
> > >
> > > started rpc.idmapd on client(vcslinux6).
> > > But when i run #rpc.gssd -m -v -f
> > > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> > upcall
> > > timed out.
> > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > user
> > > daemon is running!
> > >
> > > in log file:
> > > Using keytab file '/etc/krb5.keytab'
> > > WARNING: Decrypt integrity check failed while
> > getting
> > > initial ticket for principal
> > >
> >
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > ERROR: No usable machine credentials obtained
> > > processing client list
> > >
> > > -------
> > > Then i tried making kvno for vcslinux5 (on kdc) =
> > 2
> > > i could not.
> > > [root@vcslinux1 ~]# kadmin
> > > Authenticating as principal
> > > root/admin@VXINDIA.VERITAS.COM with password.
> > > Password for root/admin@VXINDIA.VERITAS.COM:
> > > kadmin:  modprinc -kvno 2
> > > nfs/vcslinux5.vxindia.veritas.com
> > > Principal
> > >
> >
> "nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > > modified.
> > > kadmin:  ktadd -e des-cbc-crc:normal -k
> > /tmp/keytab
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > Entry for principal
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > with kvno 3, encryption type DES cbc mode with
> > CRC-32
> > > added to keytab WRFILE:/tmp/keytab.
> > >
> > > Please let me know where i went wrong .
> > >
> > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > Also, "failed reading uid from krb5 upcall" and
> > > > "Failed to write error
> > > > downcall" should not normally happen.  What
> > versions
> > > > of kernel and
> > > > nfs-utils do you have?
> > > >
> > > >
> > > > > > Error in log file on mount
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > > WARNING:
> > > > > > failed reading uid from krb5 upcall pipe:
> > > > Success
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING: Key
> > > > > > table entry not found while getting initial
> > > > ticket for
> > > > > > principal
> > > > > >
> > > >
> > >
> >
> 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > ERROR:
> > > > No
> > > > > > usable machine credentials obtained
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING:
> > > > > > Failed to obtain machine credentials for
> > > > connection to
> > > > > > server vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > > WARNING:
> > > > > > Failed to create krb5 context for user with
> > uid
> > > > 0 with
> > > > > > any credentials cache for server
> > > > > > vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > Failed
> > > > to
> > > > > > write error downcall!
> > > > > >
> > > > > > thanks,
> > > > > >  --kiran
> > > >
> > > >
> > > >
> > > >
> > >
> >
> -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT
> > > > Products from real users.
> > > > Discover which products truly live up to the
> > hype.
> > > > Start reading now.
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > NFS maillist  -  NFS@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail - now with 250MB free storage. Learn
> > more.
> > > http://info.mail.yahoo.com/mail_250
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > > Discover which products truly live up to the hype.
> > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >
> === message truncated ===
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 


-- 
"Good Luck is when preparation meets opportunity"


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi , 
   I tried with new library.
   libgssapi-0.2 and librpcsecgss-0.4 got installed
   in /usr/local/lib.

   Entry in /etc/gssapi_mech.conf has entry as 
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init

   Still i get  error while starting rpc.gssd 

[root@vcslinux6 ~]# rpc.gssd -f -vvv
Using keytab file '/etc/krb5.keytab'
Processing keytab entry for principal
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
We will use this entry
(nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM)
WARNING: Decrypt integrity check failed while getting
initial ticket for principal
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
from keytab 'FILE:/etc/krb5.keytab'
ERROR: No usable machine credentials obtained
processing client list


and while mouting it says:
rpc.gssd may not be running...


   May be i am going wrong in procedure of adding 
   entries in keytab.

   Steps.

   On machine runnnig KDC:
   1.create database using kbd5_util create -s.
   2.using "kadmin.local" interface
        addprinc root/admin
        ktadd -e des-cbc-crc:normal -k /tmp/keytab  
        root/admin

        addprinc nfs/vcslinux5.vxindia.veritas.com
        ktadd -e des-cbc-crc:normal -k /tmp/keytab  
        nfs/vcslinux5.vxindia.veritas.com
        
        addprinc nfs/vcslinux6.vxindia.veritas.com
        ktadd -e des-cbc-crc:normal -k /tmp/keytab  
        nfs/vcslinux6.vxindia.veritas.com
   3.At the end do cp /tmp/keytab /etc/krb5.keytab.
   4.Output of klist -k /etc/krb5.keytab 

2 root/admin@VXINDIA.VERITAS.COM
2
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
2
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM

   Machine running nfs server(vcslinux5)

   1.create database using kdb5_util create -s
   2. using "kadmin.local" interace create
      entry for nfs/vcslinux5.vxindia.veritas.com
   3.output of klist -k /etc/krb5.keytab   

2
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM

   Similarly on machine running nfs client(vcslinux6)
   after making entry using kadmin.local interface  
   for it 
   output of klist -k /etc/krb5.keytab

2
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM

On "all" the machine  , /etc/krb.conf
has  foloowing entries for realms and domain_realms
[realms]
 VXINDIA.VERITAS.COM = {
  kdc = vcslinux1.vxindia.veritas.com:88
  admin_server = vcslinux1.vxindia.veritas.com:749
  default_domain = vxindia.veritas.com
 }

[domain_realm]
 .vxindia.veritas.com = VXINDIA.VERITAS.COM
  vxindia.veritas.com = VXINDIA.VERITAS.COM


Did i go wrong anywhere ?

--thanks,
 --kiran


   



--- Suresh Jayaram <sureshjayaram@gmail.com> wrote:

> Hi Kiran,
> 
> Run rpc.gssd also in verbose mode
> >>RPC: AUTH_GSS upcall timed out.
> This means rpc.gssd is not running.
> Check gssapi_mech.conf in client machine also.
> Those Warning messages you can ignore..
> 
> Update your libgssapi and librpcsecgss packages
> (libgssapi-0.2 and
> librpcsecgss-0.4)
> 
> HTH
> Suresh
> 
> 
> On Thu, 17 Mar 2005 04:56:53 -0800 (PST), mehta
> kiran
> <kiranmehta1981@yahoo.com> wrote:
> > one more thing.
> > 
> > On machine running kdc ,
> > 
> >   entry for vcslinux5 is with kvno 3
> >   while entry for vcslinux5 on vcslinux5 is with
> kvno
> >   2 . Is this making a difference
> > 
> > thanks,
> > --kiran
> > 
> > --- Suresh Jayaram <sureshjayaram@gmail.com>
> wrote:
> > 
> > > Hi Kiran,
> > >
> > > Try running rpc.gssd -f -vvv (really verbose and
> > > foreground) and
> > > rpc.svcgssd -vvv -f
> > > and see why it is failing. I has similar
> problems
> > > with NFSv4, before
> > > updating all my packages (currently available in
> > > CITI website).
> > >
> > > Possibly the path of libgssapi_krb5.so may not
> be
> > > proper. Check your
> > > /etc/gssapi_mech.conf
> > >
> > > Basically after installation of all packages,
> you
> > > need to create 2
> > > principals in kdc server; one for server and one
> for
> > > client and
> > > extract them appropriately.
> > > Make sure all three machines are in Timesync and
> > > hostname of them are
> > > resolvable. Run rpc.mountd, rpc.idmapd,
> rpc.svcgssd
> > > and rpc.nfsd in
> > > server and rpc.idmapd and rpc.gssd in client.
> > >
> > > HTH
> > > Suresh
> > >
> > >
> > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > > kiran
> > > <kiranmehta1981@yahoo.com> wrote:
> > > > Hi kevin ,
> > > > I am using RHEL4 GA.
> > > > kernel : 2.6.9-5.EL
> > > > nfs-utils : nfs-utils-1.0.6-46
> > > >
> > > > As per what you told , i have added entries on
> > > both
> > > > client and server.
> > > >
> > > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > >
> > > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > >
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > >
> > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > >
> > > > 2 root/admin@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 3
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > >
> > > > I inserted rpcsec_gss_krb5 module on all
> machines.
> > > > started krb5kdc and kadmind.
> > > > started all nfs daemons  , rpc.svcgssd ,
> > > rpc.idmapd on
> > > > server and exported filesystem with proper
> > > options.
> > > >
> > > > started rpc.idmapd on client(vcslinux6).
> > > > But when i run #rpc.gssd -m -v -f
> > > > Mar 17 11:13:03 vcslinux6 kernel: RPC:
> AUTH_GSS
> > > upcall
> > > > timed out.
> > > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > > user
> > > > daemon is running!
> > > >
> > > > in log file:
> > > > Using keytab file '/etc/krb5.keytab'
> > > > WARNING: Decrypt integrity check failed while
> > > getting
> > > > initial ticket for principal
> > > >
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > ERROR: No usable machine credentials obtained
> > > > processing client list
> > > >
> > > > -------
> > > > Then i tried making kvno for vcslinux5 (on
> kdc) =
> > > 2
> > > > i could not.
> > > > [root@vcslinux1 ~]# kadmin
> > > > Authenticating as principal
> > > > root/admin@VXINDIA.VERITAS.COM with password.
> > > > Password for root/admin@VXINDIA.VERITAS.COM:
> > > > kadmin:  modprinc -kvno 2
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > Principal
> > > >
> > >
> >
>
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > > > modified.
> > > > kadmin:  ktadd -e des-cbc-crc:normal -k
> > > /tmp/keytab
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > Entry for principal
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > with kvno 3, encryption type DES cbc mode with
> > > CRC-32
> > > > added to keytab WRFILE:/tmp/keytab.
> > > >
> > > > Please let me know where i went wrong .
> > > >
> > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > Also, "failed reading uid from krb5 upcall"
> and
> > > > > "Failed to write error
> > > > > downcall" should not normally happen.  What
> > > versions
> > > > > of kernel and
> > > > > nfs-utils do you have?
> > > > >
> > > > >
> > > > > > > Error in log file on mount
> > > > > > > Mar 16 14:58:43 vcslinux5
> rpc.gssd[4258]:
> > > > > WARNING:
> > > > > > > failed reading uid from krb5 upcall
> pipe:
> > > > > Success
> > > > > > > Mar 16 14:58:43 vcslinux5
> rpc.gssd[4405]:
> > > > > WARNING: Key
> > > > > > > table entry not found while getting
> initial
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Trond Myklebust]

to den 17.03.2005 Klokka 23:43 (-0800) skreiv mehta kiran:

>    On machine runnnig KDC:
>    1.create database using kbd5_util create -s.
>    2.using "kadmin.local" interface
>         addprinc root/admin
>         ktadd -e des-cbc-crc:normal -k /tmp/keytab  
>         root/admin
> 
>         addprinc nfs/vcslinux5.vxindia.veritas.com
>         ktadd -e des-cbc-crc:normal -k /tmp/keytab  
>         nfs/vcslinux5.vxindia.veritas.com
>         
>         addprinc nfs/vcslinux6.vxindia.veritas.com
>         ktadd -e des-cbc-crc:normal -k /tmp/keytab  
>         nfs/vcslinux6.vxindia.veritas.com
>    3.At the end do cp /tmp/keytab /etc/krb5.keytab.
>    4.Output of klist -k /etc/krb5.keytab 
> 
> 2 root/admin@VXINDIA.VERITAS.COM
> 2
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 2
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 

No. All you want to do is

On machine runnnig KDC:
   1.create database using kbd5_util create -s.
   2.using "kadmin.local" interface

	addprinc root/admin

	addprinc nfs/vcslinux5.vxindia.veritas.com
	ktadd -e des-cbc-crc:normal -k /tmp/keytab.vclinux5 nfs/vcslinux5.vxindia.veritas.com

	addprinc nfs/vcslinux6.vxindia.veritas.com
	ktadd -e des-cbc-crc:normal -k /tmp/keytab.vcslinux6 nfs/vcslinux6.vxindia.veritas.com


Then copy /tmp/keytab.vclinux5 to /etc/krb5.keytab on vclinux5,
copy /tmp/keytab.vclinux6 to /etc/krb5.keytab on vclinux6,...
Then just delete /tmp/keytab.vclinux*

scp -p /tmp/keytab.vclinux5  vclinux5:/etc/krb5.keytab
scp -p /tmp/keytab.vclinux6  vclinux6:/etc/krb5.keytab
rm /tmp/keytab.vclinux5 /tmp/keytab.vclinux6

IOW:
  - Since the KDC is the trusted server that authenticates your
credentials, you _must_ be using keytabs generated by the KDC on each
client.
  - The server does not need to have a copy of the keytab.
  - The clients do no need to have a copy of any keytab entry other than
their own.

Your /etc/krb.conf really needs to be a /etc/krb5.conf, but otherwise,
the entries in your mail looked OK.

Cheers,
  Trond
-- 
Trond Myklebust <trond.myklebust@fys.uio.no>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

Kiran,
Sorry, I was away for a few days with bad connectivity.

Each time you run the "ktadd" command to create a keytab entry, the key 
version number (kvno) for that principal is updated.  You cannot simply 
modify the kvno for a principal because the kvno is associated with the 
key.  I'd advise throwing out the keytab on vcslinux5 and create a new 
keytab for that principal.


P.S.  Here is what the ktadd command does:
- It generates a new random key value for the
  principal (with a new key version)
- It puts this new key into the Kerberos DB, replacing
  any previous key with a lower kvno
- It puts this new key into the keytab file that was
  specified

Therefore, each time you run ktadd, the old keytab entry
becomes obsolete.


 > one more thing.
> 
> On machine running kdc , 
> 
>    entry for vcslinux5 is with kvno 3
>    while entry for vcslinux5 on vcslinux5 is with kvno
>    2 . Is this making a difference
> 
> thanks,
>  --kiran
> 
> 
> 
> --- Suresh Jayaram <sureshjayaram@gmail.com> wrote:
> 
> > Hi Kiran,
> > 
> > Try running rpc.gssd -f -vvv (really verbose and
> > foreground) and
> > rpc.svcgssd -vvv -f
> > and see why it is failing. I has similar problems
> > with NFSv4, before
> > updating all my packages (currently available in
> > CITI website).
> > 
> > Possibly the path of libgssapi_krb5.so may not be
> > proper. Check your
> > /etc/gssapi_mech.conf
> > 
> > Basically after installation of all packages, you
> > need to create 2
> > principals in kdc server; one for server and one for
> > client and
> > extract them appropriately.
> > Make sure all three machines are in Timesync and
> > hostname of them are
> > resolvable. Run rpc.mountd, rpc.idmapd, rpc.svcgssd
> > and rpc.nfsd in
> > server and rpc.idmapd and rpc.gssd in client.
> > 
> > HTH
> > Suresh
> > 
> > 
> > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > kiran
> > <kiranmehta1981@yahoo.com> wrote:
> > > Hi kevin ,
> > > I am using RHEL4 GA.
> > > kernel : 2.6.9-5.EL
> > > nfs-utils : nfs-utils-1.0.6-46
> > > 
> > > As per what you told , i have added entries on
> > both
> > > client and server.
> > > 
> > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > 2
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 
> > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > 
> > > 2
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 
> > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > 
> > > 2 root/admin@VXINDIA.VERITAS.COM
> > > 2
> > >
> >
> nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 3
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 2
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 
> > > I inserted rpcsec_gss_krb5 module on all machines.
> > > started krb5kdc and kadmind.
> > > started all nfs daemons  , rpc.svcgssd ,
> > rpc.idmapd on
> > > server and exported filesystem with proper
> > options.
> > > 
> > > started rpc.idmapd on client(vcslinux6).
> > > But when i run #rpc.gssd -m -v -f
> > > Mar 17 11:13:03 vcslinux6 kernel: RPC: AUTH_GSS
> > upcall
> > > timed out.
> > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > user
> > > daemon is running!
> > > 
> > > in log file:
> > > Using keytab file '/etc/krb5.keytab'
> > > WARNING: Decrypt integrity check failed while
> > getting
> > > initial ticket for principal
> > >
> >
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > ERROR: No usable machine credentials obtained
> > > processing client list
> > > 
> > > -------
> > > Then i tried making kvno for vcslinux5 (on kdc) =
> > 2
> > > i could not.
> > > [root@vcslinux1 ~]# kadmin
> > > Authenticating as principal
> > > root/admin@VXINDIA.VERITAS.COM with password.
> > > Password for root/admin@VXINDIA.VERITAS.COM:
> > > kadmin:  modprinc -kvno 2
> > > nfs/vcslinux5.vxindia.veritas.com
> > > Principal
> > >
> >
> "nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > > modified.
> > > kadmin:  ktadd -e des-cbc-crc:normal -k
> > /tmp/keytab
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > Entry for principal
> > >
> >
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > with kvno 3, encryption type DES cbc mode with
> > CRC-32
> > > added to keytab WRFILE:/tmp/keytab.
> > > 
> > > Please let me know where i went wrong .
> > > 
> > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > Also, "failed reading uid from krb5 upcall" and
> > > > "Failed to write error
> > > > downcall" should not normally happen.  What
> > versions
> > > > of kernel and
> > > > nfs-utils do you have?
> > > >
> > > >
> > > > > > Error in log file on mount
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4258]:
> > > > WARNING:
> > > > > > failed reading uid from krb5 upcall pipe:
> > > > Success
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING: Key
> > > > > > table entry not found while getting initial
> > > > ticket for
> > > > > > principal
> > > > > >
> > > >
> > >
> >
> 'nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > ERROR:
> > > > No
> > > > > > usable machine credentials obtained
> > > > > > Mar 16 14:58:43 vcslinux5 rpc.gssd[4405]:
> > > > WARNING:
> > > > > > Failed to obtain machine credentials for
> > > > connection to
> > > > > > server vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > > > WARNING:
> > > > > > Failed to create krb5 context for user with
> > uid
> > > > 0 with
> > > > > > any credentials cache for server
> > > > > > vcslinux1.vxindia.veritas.com
> > > > > > Mar 16 14:59:08 vcslinux5 rpc.gssd[2760]:
> > Failed
> > > > to
> > > > > > write error downcall!
> > > > > >
> > > > > > thanks,
> > > > > >  --kiran
> > > >
> > > >
> > > >
> > > >
> > >
> >
> -------------------------------------------------------
> > > > SF email is sponsored by - The IT Product Guide
> > > > Read honest & candid reviews on hundreds of IT
> > > > Products from real users.
> > > > Discover which products truly live up to the
> > hype.
> > > > Start reading now.
> > > >
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > > _______________________________________________
> > > > NFS maillist  -  NFS@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > >
> > > 
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail - now with 250MB free storage. Learn
> > more.
> > > http://info.mail.yahoo.com/mail_250
> > > 
> > > 
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > > Discover which products truly live up to the hype.
> > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > 
> === message truncated ===
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi , 
             I tried things as directed by Trond in
    his previous mail and everything seemed to work
    fine initally. but when i rebooted system , 
    it started giving error whenever i start rpc.gssd
    on client machine.
    Error is :

[root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
rpc.gssd[3487]: WARNING: Key table entry not found
while getting initial ticket for principal
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
from keytab 'FILE:/etc/krb5.keytab'
Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR: No
usable machine credentials obtained
  
     
while #klist -k /etc/krb5.keytab gives
2
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM

I even tried by recreating kerberos database but in
vain. I still get the same error.

I observed one more thing.
Whenver i create principal(other then root/admin) ,
passwords i enter for them during their creation
are not accepted by kinit.

Please let me know where i went wrong.

--thanks,
 --kiran








--- Kevin Coffman <kwc@citi.umich.edu> wrote:

> Kiran,
> Sorry, I was away for a few days with bad
> connectivity.
> 
> Each time you run the "ktadd" command to create a
> keytab entry, the key 
> version number (kvno) for that principal is updated.
>  You cannot simply 
> modify the kvno for a principal because the kvno is
> associated with the 
> key.  I'd advise throwing out the keytab on
> vcslinux5 and create a new 
> keytab for that principal.
> 
> 
> P.S.  Here is what the ktadd command does:
> - It generates a new random key value for the
>   principal (with a new key version)
> - It puts this new key into the Kerberos DB,
> replacing
>   any previous key with a lower kvno
> - It puts this new key into the keytab file that was
>   specified
> 
> Therefore, each time you run ktadd, the old keytab
> entry
> becomes obsolete.
> 
> 
>  > one more thing.
> > 
> > On machine running kdc , 
> > 
> >    entry for vcslinux5 is with kvno 3
> >    while entry for vcslinux5 on vcslinux5 is with
> kvno
> >    2 . Is this making a difference
> > 
> > thanks,
> >  --kiran
> > 
> > 
> > 
> > --- Suresh Jayaram <sureshjayaram@gmail.com>
> wrote:
> > 
> > > Hi Kiran,
> > > 
> > > Try running rpc.gssd -f -vvv (really verbose and
> > > foreground) and
> > > rpc.svcgssd -vvv -f
> > > and see why it is failing. I has similar
> problems
> > > with NFSv4, before
> > > updating all my packages (currently available in
> > > CITI website).
> > > 
> > > Possibly the path of libgssapi_krb5.so may not
> be
> > > proper. Check your
> > > /etc/gssapi_mech.conf
> > > 
> > > Basically after installation of all packages,
> you
> > > need to create 2
> > > principals in kdc server; one for server and one
> for
> > > client and
> > > extract them appropriately.
> > > Make sure all three machines are in Timesync and
> > > hostname of them are
> > > resolvable. Run rpc.mountd, rpc.idmapd,
> rpc.svcgssd
> > > and rpc.nfsd in
> > > server and rpc.idmapd and rpc.gssd in client.
> > > 
> > > HTH
> > > Suresh
> > > 
> > > 
> > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > > kiran
> > > <kiranmehta1981@yahoo.com> wrote:
> > > > Hi kevin ,
> > > > I am using RHEL4 GA.
> > > > kernel : 2.6.9-5.EL
> > > > nfs-utils : nfs-utils-1.0.6-46
> > > > 
> > > > As per what you told , i have added entries on
> > > both
> > > > client and server.
> > > > 
> > > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > > 
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > > 
> > > > 2 root/admin@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 3
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > I inserted rpcsec_gss_krb5 module on all
> machines.
> > > > started krb5kdc and kadmind.
> > > > started all nfs daemons  , rpc.svcgssd ,
> > > rpc.idmapd on
> > > > server and exported filesystem with proper
> > > options.
> > > > 
> > > > started rpc.idmapd on client(vcslinux6).
> > > > But when i run #rpc.gssd -m -v -f
> > > > Mar 17 11:13:03 vcslinux6 kernel: RPC:
> AUTH_GSS
> > > upcall
> > > > timed out.
> > > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > > user
> > > > daemon is running!
> > > > 
> > > > in log file:
> > > > Using keytab file '/etc/krb5.keytab'
> > > > WARNING: Decrypt integrity check failed while
> > > getting
> > > > initial ticket for principal
> > > >
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > ERROR: No usable machine credentials obtained
> > > > processing client list
> > > > 
> > > > -------
> > > > Then i tried making kvno for vcslinux5 (on
> kdc) =
> > > 2
> > > > i could not.
> > > > [root@vcslinux1 ~]# kadmin
> > > > Authenticating as principal
> > > > root/admin@VXINDIA.VERITAS.COM with password.
> > > > Password for root/admin@VXINDIA.VERITAS.COM:
> > > > kadmin:  modprinc -kvno 2
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > Principal
> > > >
> > >
> >
>
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > > > modified.
> > > > kadmin:  ktadd -e des-cbc-crc:normal -k
> > > /tmp/keytab
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > Entry for principal
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > with kvno 3, encryption type DES cbc mode with
> > > CRC-32
> > > > added to keytab WRFILE:/tmp/keytab.
> > > > 
> > > > Please let me know where i went wrong .
> > > > 
> > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > Also, "failed reading uid from krb5 upcall"
> and
> > > > > "Failed to write error
> > > > > downcall" should not normally happen.  What
> > > versions
> > > > > of kernel and
> > > > > nfs-utils do you have?
> > > > >
> > > > >
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi Kevin, 
             I tried things as directed by Trond in
    his previous mail and everything seemed to work
    fine initally. but when i rebooted system , 
    it started giving error whenever i start rpc.gssd
    on client machine.
    Error is :

[root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
rpc.gssd[3487]: WARNING: Key table entry not found
while getting initial ticket for principal
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
from keytab 'FILE:/etc/krb5.keytab'
Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR: No
usable machine credentials obtained
  
     
while #klist -k /etc/krb5.keytab gives
2
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM

I even tried by recreating kerberos database but in
vain. I still get the same error.

I observed one more thing.
Whenver i create principal(other then root/admin) ,
passwords i enter for them during their creation
are not accepted by kinit.

Please let me know where i went wrong.

--thanks,
 --kiran








--- Kevin Coffman <kwc@citi.umich.edu> wrote:

> Kiran,
> Sorry, I was away for a few days with bad
> connectivity.
> 
> Each time you run the "ktadd" command to create a
> keytab entry, the key 
> version number (kvno) for that principal is updated.
>  You cannot simply 
> modify the kvno for a principal because the kvno is
> associated with the 
> key.  I'd advise throwing out the keytab on
> vcslinux5 and create a new 
> keytab for that principal.
> 
> 
> P.S.  Here is what the ktadd command does:
> - It generates a new random key value for the
>   principal (with a new key version)
> - It puts this new key into the Kerberos DB,
> replacing
>   any previous key with a lower kvno
> - It puts this new key into the keytab file that was
>   specified
> 
> Therefore, each time you run ktadd, the old keytab
> entry
> becomes obsolete.
> 
> 
>  > one more thing.
> > 
> > On machine running kdc , 
> > 
> >    entry for vcslinux5 is with kvno 3
> >    while entry for vcslinux5 on vcslinux5 is with
> kvno
> >    2 . Is this making a difference
> > 
> > thanks,
> >  --kiran
> > 
> > 
> > 
> > --- Suresh Jayaram <sureshjayaram@gmail.com>
> wrote:
> > 
> > > Hi Kiran,
> > > 
> > > Try running rpc.gssd -f -vvv (really verbose and
> > > foreground) and
> > > rpc.svcgssd -vvv -f
> > > and see why it is failing. I has similar
> problems
> > > with NFSv4, before
> > > updating all my packages (currently available in
> > > CITI website).
> > > 
> > > Possibly the path of libgssapi_krb5.so may not
> be
> > > proper. Check your
> > > /etc/gssapi_mech.conf
> > > 
> > > Basically after installation of all packages,
> you
> > > need to create 2
> > > principals in kdc server; one for server and one
> for
> > > client and
> > > extract them appropriately.
> > > Make sure all three machines are in Timesync and
> > > hostname of them are
> > > resolvable. Run rpc.mountd, rpc.idmapd,
> rpc.svcgssd
> > > and rpc.nfsd in
> > > server and rpc.idmapd and rpc.gssd in client.
> > > 
> > > HTH
> > > Suresh
> > > 
> > > 
> > > On Thu, 17 Mar 2005 03:59:52 -0800 (PST), mehta
> > > kiran
> > > <kiranmehta1981@yahoo.com> wrote:
> > > > Hi kevin ,
> > > > I am using RHEL4 GA.
> > > > kernel : 2.6.9-5.EL
> > > > nfs-utils : nfs-utils-1.0.6-46
> > > > 
> > > > As per what you told , i have added entries on
> > > both
> > > > client and server.
> > > > 
> > > > *client:vcslinux6#klist -k /etc/krb5.keytab
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > *server:vcslinux5#klist -k /etc/krb5.keytab
> > > > 
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > *kdc:vcslinux1#klist -k /etc/krb5.keytab
> > > > 
> > > > 2 root/admin@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux1.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 3
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > I inserted rpcsec_gss_krb5 module on all
> machines.
> > > > started krb5kdc and kadmind.
> > > > started all nfs daemons  , rpc.svcgssd ,
> > > rpc.idmapd on
> > > > server and exported filesystem with proper
> > > options.
> > > > 
> > > > started rpc.idmapd on client(vcslinux6).
> > > > But when i run #rpc.gssd -m -v -f
> > > > Mar 17 11:13:03 vcslinux6 kernel: RPC:
> AUTH_GSS
> > > upcall
> > > > timed out.
> > > > Mar 17 11:13:03 vcslinux6 kernel: Please check
> > > user
> > > > daemon is running!
> > > > 
> > > > in log file:
> > > > Using keytab file '/etc/krb5.keytab'
> > > > WARNING: Decrypt integrity check failed while
> > > getting
> > > > initial ticket for principal
> > > >
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > ERROR: No usable machine credentials obtained
> > > > processing client list
> > > > 
> > > > -------
> > > > Then i tried making kvno for vcslinux5 (on
> kdc) =
> > > 2
> > > > i could not.
> > > > [root@vcslinux1 ~]# kadmin
> > > > Authenticating as principal
> > > > root/admin@VXINDIA.VERITAS.COM with password.
> > > > Password for root/admin@VXINDIA.VERITAS.COM:
> > > > kadmin:  modprinc -kvno 2
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > Principal
> > > >
> > >
> >
>
"nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM"
> > > > modified.
> > > > kadmin:  ktadd -e des-cbc-crc:normal -k
> > > /tmp/keytab
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > Entry for principal
> > > >
> > >
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > with kvno 3, encryption type DES cbc mode with
> > > CRC-32
> > > > added to keytab WRFILE:/tmp/keytab.
> > > > 
> > > > Please let me know where i went wrong .
> > > > 
> > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > Also, "failed reading uid from krb5 upcall"
> and
> > > > > "Failed to write error
> > > > > downcall" should not normally happen.  What
> > > versions
> > > > > of kernel and
> > > > > nfs-utils do you have?
> > > > >
> > > > >
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search. 
http://info.mail.yahoo.com/mail_250


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

> 
> Hi , 
>              I tried things as directed by Trond in
>     his previous mail and everything seemed to work
>     fine initally. but when i rebooted system , 
>     it started giving error whenever i start rpc.gssd
>     on client machine.
>     Error is :
> 
> [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> rpc.gssd[3487]: WARNING: Key table entry not found
> while getting initial ticket for principal
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> from keytab 'FILE:/etc/krb5.keytab'
> Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR: No
> usable machine credentials obtained
>   
>      
> while #klist -k /etc/krb5.keytab gives
> 2
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM


I'm confused by this, but I do not know what to look for.


> I even tried by recreating kerberos database but in
> vain. I still get the same error.

If you recreated the Kerberos database, you need to
create new principals and keytab files.  Did you do this?

> I observed one more thing.
> Whenver i create principal(other then root/admin) ,
> passwords i enter for them during their creation
> are not accepted by kinit.

This is also strange and _might_ be related.  How are
you creating the principals -- using kadmin or kadmin.local?
Which principals are you referring to here?

> 
> Please let me know where i went wrong.
> 
> --thanks,
>  --kiran



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi Kevin , 
    I created new database and new principal and 
    keytab files.

    Kinit does not accept passowrd for principals
    nfs/vcslinux5.vxindia.veritas.com
    and
    nfs/vcslinux6.vxindia.veritas.com

    Please let me know if i can provide some info(and
how) (logs) which can point out the problem

thanks,
 --kiran




--- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > 
> > Hi , 
> >              I tried things as directed by Trond
> in
> >     his previous mail and everything seemed to
> work
> >     fine initally. but when i rebooted system , 
> >     it started giving error whenever i start
> rpc.gssd
> >     on client machine.
> >     Error is :
> > 
> > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > rpc.gssd[3487]: WARNING: Key table entry not found
> > while getting initial ticket for principal
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > from keytab 'FILE:/etc/krb5.keytab'
> > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR:
> No
> > usable machine credentials obtained
> >   
> >      
> > while #klist -k /etc/krb5.keytab gives
> > 2
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
> 
> I'm confused by this, but I do not know what to look
> for.
> 
> 
> > I even tried by recreating kerberos database but
> in
> > vain. I still get the same error.
> 
> If you recreated the Kerberos database, you need to
> create new principals and keytab files.  Did you do
> this?
> 
> > I observed one more thing.
> > Whenver i create principal(other then root/admin)
> ,
> > passwords i enter for them during their creation
> > are not accepted by kinit.
> 
> This is also strange and _might_ be related.  How
> are
> you creating the principals -- using kadmin or
> kadmin.local?
> Which principals are you referring to here?
> 
> > 
> > Please let me know where i went wrong.
> > 
> > --thanks,
> >  --kiran
> 
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Missed one thing.
 I used kadmin.local to create principals(on machine
runnnig KDC)

thanks,
 --kiran
--- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> Hi Kevin , 
>     I created new database and new principal and 
>     keytab files.
> 
>     Kinit does not accept passowrd for principals
>     nfs/vcslinux5.vxindia.veritas.com
>     and
>     nfs/vcslinux6.vxindia.veritas.com
> 
>     Please let me know if i can provide some
> info(and
> how) (logs) which can point out the problem
> 
> thanks,
>  --kiran
> 
> 
> 
> 
> --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > 
> > > Hi , 
> > >              I tried things as directed by Trond
> > in
> > >     his previous mail and everything seemed to
> > work
> > >     fine initally. but when i rebooted system , 
> > >     it started giving error whenever i start
> > rpc.gssd
> > >     on client machine.
> > >     Error is :
> > > 
> > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > rpc.gssd[3487]: WARNING: Key table entry not
> found
> > > while getting initial ticket for principal
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR:
> > No
> > > usable machine credentials obtained
> > >   
> > >      
> > > while #klist -k /etc/krb5.keytab gives
> > > 2
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > 
> > I'm confused by this, but I do not know what to
> look
> > for.
> > 
> > 
> > > I even tried by recreating kerberos database but
> > in
> > > vain. I still get the same error.
> > 
> > If you recreated the Kerberos database, you need
> to
> > create new principals and keytab files.  Did you
> do
> > this?
> > 
> > > I observed one more thing.
> > > Whenver i create principal(other then
> root/admin)
> > ,
> > > passwords i enter for them during their creation
> > > are not accepted by kinit.
> > 
> > This is also strange and _might_ be related.  How
> > are
> > you creating the principals -- using kadmin or
> > kadmin.local?
> > Which principals are you referring to here?
> > 
> > > 
> > > Please let me know where i went wrong.
> > > 
> > > --thanks,
> > >  --kiran
> > 
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi Kevin , 
    God knows how , but everyting is working fine now.
    I could not figure out why was it failing earlier.
    
    I have one question.
    Is is possible to use common ip to access 
    machines when kerberos is running .i:e
    I want to access system1 with an ip say IP.
    when system1 crashes , i want to start services
    of system1 on system2 but want to access system2
    with same IP.

     what is tried was
     create keys (on machine running KDC) for
     for all machines in my subnet.
     
     After this take an ip and register it with DNS 
     with some name say NFS.domain.
     Create key (on machine running kdc) for
NFS.domain
     For machines those which will run nfs server , 
     ktadd respective machine key + ktadd NFS.domain
     key and copy keytab file to respective machines.
     For all other machines just ktadd respective 
     machine key and copy keytab file to respective 
     machines.
     In short , 
     on machine running nfs server,
     #klist -k /etc/krb5.keytab
      2 nfs/<hostname.domainname>@<realm>
      2 nfs/NFS.domainname@<realm>

     for other machines(nfs clients)
     #klist -k /etc/krb5.keytab
      2 nfs/<hostname.domainname>@<realm>
     
     but when i try to mount exported filesystems
     from nfs client , 
     using 
     #mount -t nfs4 -osec=krb5 NFS.doaminname:/ /share

      Failed to create krb5 context for user with uid
0
      with any credential cache for server 
      NFS.domainname 
 
      Everything works well if genuine server name is 
      used for mounting.Problem arises only when
      (virtual ip) NFS.domainname is used.

   thanks,
 --kiran
     


--- mehta kiran <kiranmehta1981@yahoo.com> wrote:

> Missed one thing.
>  I used kadmin.local to create principals(on machine
> runnnig KDC)
> 
> thanks,
>  --kiran
> --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > Hi Kevin , 
> >     I created new database and new principal and 
> >     keytab files.
> > 
> >     Kinit does not accept passowrd for principals
> >     nfs/vcslinux5.vxindia.veritas.com
> >     and
> >     nfs/vcslinux6.vxindia.veritas.com
> > 
> >     Please let me know if i can provide some
> > info(and
> > how) (logs) which can point out the problem
> > 
> > thanks,
> >  --kiran
> > 
> > 
> > 
> > 
> > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > 
> > > > Hi , 
> > > >              I tried things as directed by
> Trond
> > > in
> > > >     his previous mail and everything seemed to
> > > work
> > > >     fine initally. but when i rebooted system
> , 
> > > >     it started giving error whenever i start
> > > rpc.gssd
> > > >     on client machine.
> > > >     Error is :
> > > > 
> > > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > > rpc.gssd[3487]: WARNING: Key table entry not
> > found
> > > > while getting initial ticket for principal
> > > >
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> ERROR:
> > > No
> > > > usable machine credentials obtained
> > > >   
> > > >      
> > > > while #klist -k /etc/krb5.keytab gives
> > > > 2
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > 
> > > 
> > > I'm confused by this, but I do not know what to
> > look
> > > for.
> > > 
> > > 
> > > > I even tried by recreating kerberos database
> but
> > > in
> > > > vain. I still get the same error.
> > > 
> > > If you recreated the Kerberos database, you need
> > to
> > > create new principals and keytab files.  Did you
> > do
> > > this?
> > > 
> > > > I observed one more thing.
> > > > Whenver i create principal(other then
> > root/admin)
> > > ,
> > > > passwords i enter for them during their
> creation
> > > > are not accepted by kinit.
> > > 
> > > This is also strange and _might_ be related. 
> How
> > > are
> > > you creating the principals -- using kadmin or
> > > kadmin.local?
> > > Which principals are you referring to here?
> > > 
> > > > 
> > > > Please let me know where i went wrong.
> > > > 
> > > > --thanks,
> > > >  --kiran
> > > 
> > > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > http://mail.yahoo.com 
> > 
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs
> 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

If you create a principal using a password, you should be able to 
authenticate as that pricipal using that password.  However, once you 
do a ktadd for that principal the password will no longer work.  See my 
previous message about what ktadd does.

Are you able to do a kinit using the keytab for nfs/vcslinux5.vxindia.ve
ritas.com?
("kinit -k -t /etc/krb5.keytab  nfs/vcslinux5.vxindia.veritas.com")

Can you list the keys in your keytab using the ktutil program?  I 
suspect that something is wrong with your keytab file.  How did you 
move it from the KDC machine to your NFS client?


> Hi Kevin , 
>     I created new database and new principal and 
>     keytab files.
> 
>     Kinit does not accept passowrd for principals
>     nfs/vcslinux5.vxindia.veritas.com
>     and
>     nfs/vcslinux6.vxindia.veritas.com
> 
>     Please let me know if i can provide some info(and
> how) (logs) which can point out the problem
> 
> thanks,
>  --kiran
> 
> 
> 
> 
> --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > 
> > > Hi , 
> > >              I tried things as directed by Trond
> > in
> > >     his previous mail and everything seemed to
> > work
> > >     fine initally. but when i rebooted system , 
> > >     it started giving error whenever i start
> > rpc.gssd
> > >     on client machine.
> > >     Error is :
> > > 
> > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > rpc.gssd[3487]: WARNING: Key table entry not found
> > > while getting initial ticket for principal
> > >
> >
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR:
> > No
> > > usable machine credentials obtained
> > >   
> > >      
> > > while #klist -k /etc/krb5.keytab gives
> > > 2
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> > 
> > I'm confused by this, but I do not know what to look
> > for.
> > 
> > 
> > > I even tried by recreating kerberos database but
> > in
> > > vain. I still get the same error.
> > 
> > If you recreated the Kerberos database, you need to
> > create new principals and keytab files.  Did you do
> > this?
> > 
> > > I observed one more thing.
> > > Whenver i create principal(other then root/admin)
> > ,
> > > passwords i enter for them during their creation
> > > are not accepted by kinit.
> > 
> > This is also strange and _might_ be related.  How
> > are
> > you creating the principals -- using kadmin or
> > kadmin.local?
> > Which principals are you referring to here?
> > 
> > > 
> > > Please let me know where i went wrong.
> > > 
> > > --thanks,
> > >  --kiran
> > 
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

I'm happy to hear the normal case is working.

The Kerberos library code does a reverse lookup of the host it is 
trying to connect to in order to obtain the "real" host name.  It uses 
that name to determine what principal it needs a ticket for.  It would 
help to see the exact messages from rpc.gssd, rpc.svcgssd, and from the 
KDC.


> Hi Kevin , 
>     God knows how , but everyting is working fine now.
>     I could not figure out why was it failing earlier.
>     
>     I have one question.
>     Is is possible to use common ip to access 
>     machines when kerberos is running .i:e
>     I want to access system1 with an ip say IP.
>     when system1 crashes , i want to start services
>     of system1 on system2 but want to access system2
>     with same IP.
> 
>      what is tried was
>      create keys (on machine running KDC) for
>      for all machines in my subnet.
>      
>      After this take an ip and register it with DNS 
>      with some name say NFS.domain.
>      Create key (on machine running kdc) for
> NFS.domain
>      For machines those which will run nfs server , 
>      ktadd respective machine key + ktadd NFS.domain
>      key and copy keytab file to respective machines.
>      For all other machines just ktadd respective 
>      machine key and copy keytab file to respective 
>      machines.
>      In short , 
>      on machine running nfs server,
>      #klist -k /etc/krb5.keytab
>       2 nfs/<hostname.domainname>@<realm>
>       2 nfs/NFS.domainname@<realm>
> 
>      for other machines(nfs clients)
>      #klist -k /etc/krb5.keytab
>       2 nfs/<hostname.domainname>@<realm>
>      
>      but when i try to mount exported filesystems
>      from nfs client , 
>      using 
>      #mount -t nfs4 -osec=krb5 NFS.doaminname:/ /share
> 
>       Failed to create krb5 context for user with uid
> 0
>       with any credential cache for server 
>       NFS.domainname 
>  
>       Everything works well if genuine server name is 
>       used for mounting.Problem arises only when
>       (virtual ip) NFS.domainname is used.
> 
>    thanks,
>  --kiran
>      
> 
> 
> --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> 
> > Missed one thing.
> >  I used kadmin.local to create principals(on machine
> > runnnig KDC)
> > 
> > thanks,
> >  --kiran
> > --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > > Hi Kevin , 
> > >     I created new database and new principal and 
> > >     keytab files.
> > > 
> > >     Kinit does not accept passowrd for principals
> > >     nfs/vcslinux5.vxindia.veritas.com
> > >     and
> > >     nfs/vcslinux6.vxindia.veritas.com
> > > 
> > >     Please let me know if i can provide some
> > > info(and
> > > how) (logs) which can point out the problem
> > > 
> > > thanks,
> > >  --kiran
> > > 
> > > 
> > > 
> > > 
> > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > 
> > > > > Hi , 
> > > > >              I tried things as directed by
> > Trond
> > > > in
> > > > >     his previous mail and everything seemed to
> > > > work
> > > > >     fine initally. but when i rebooted system
> > , 
> > > > >     it started giving error whenever i start
> > > > rpc.gssd
> > > > >     on client machine.
> > > > >     Error is :
> > > > > 
> > > > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > > > rpc.gssd[3487]: WARNING: Key table entry not
> > > found
> > > > > while getting initial ticket for principal
> > > > >
> > > >
> > >
> >
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > ERROR:
> > > > No
> > > > > usable machine credentials obtained
> > > > >   
> > > > >      
> > > > > while #klist -k /etc/krb5.keytab gives
> > > > > 2
> > > > >
> > > >
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > 
> > > > 
> > > > I'm confused by this, but I do not know what to
> > > look
> > > > for.
> > > > 
> > > > 
> > > > > I even tried by recreating kerberos database
> > but
> > > > in
> > > > > vain. I still get the same error.
> > > > 
> > > > If you recreated the Kerberos database, you need
> > > to
> > > > create new principals and keytab files.  Did you
> > > do
> > > > this?
> > > > 
> > > > > I observed one more thing.
> > > > > Whenver i create principal(other then
> > > root/admin)
> > > > ,
> > > > > passwords i enter for them during their
> > creation
> > > > > are not accepted by kinit.
> > > > 
> > > > This is also strange and _might_ be related. 
> > How
> > > > are
> > > > you creating the principals -- using kadmin or
> > > > kadmin.local?
> > > > Which principals are you referring to here?
> > > > 
> > > > > 
> > > > > Please let me know where i went wrong.
> > > > > 
> > > > > --thanks,
> > > > >  --kiran
> > > > 
> > > > 
> > > 
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > > protection around 
> > > http://mail.yahoo.com 
> > > 
> > > 
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the hype.
> > > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist  -  NFS@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > http://mail.yahoo.com 
> > 
> > 
> >
> -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist  -  NFS@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nfs
> > 
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/ 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist  -  NFS@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfs




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi Kevin ,

     As you told , kerberos library does reverse
     lookup to get hostname to determine the
     principal it needs ticket for.
     I followed the steps as mentioned in my previous
     mail so that i can access nfs using same ip on
     system2 if system1 crashes.
     while mounting i used NFS.domainname(entry
     i added to DNS : NFS.domainname <virtual_ip>)
     As key for NFS.domainname is present on nfs
     server shouldn't mount be successful?
     
      But this is not the case.
      Messages on server(vcslinux6)
      
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
gss_accept_sec_context failed
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: ERROR:
GSS-API: error in handle_nullreq:
gss_accept_sec_context(): Miscellaneous failure -
Wrong principal in request
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
failed to write message
Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
session opened for user root by (uid=0)


    Messsages on client (vcslinux5)

[root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
rpc.gssd[4117]: WARNING: Failed to create krb5 context
for user with uid 0 with any credentials cache for
server vcsnfs.vxindia.veritas.com

   Message on KDC(vcslinux1)

Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
for krbtgt/VXINDIA.VERITAS.COM@VXINDIA.VERITAS.COM
Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
for nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM
Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
for nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM

  
 
thanks,
 --kiran



    
--- Kevin Coffman <kwc@citi.umich.edu> wrote:

> I'm happy to hear the normal case is working.
> 
> The Kerberos library code does a reverse lookup of
> the host it is 
> trying to connect to in order to obtain the "real"
> host name.  It uses 
> that name to determine what principal it needs a
> ticket for.  It would 
> help to see the exact messages from rpc.gssd,
> rpc.svcgssd, and from the 
> KDC.
> 
> 
> > Hi Kevin , 
> >     God knows how , but everyting is working fine
> now.
> >     I could not figure out why was it failing
> earlier.
> >     
> >     I have one question.
> >     Is is possible to use common ip to access 
> >     machines when kerberos is running .i:e
> >     I want to access system1 with an ip say IP.
> >     when system1 crashes , i want to start
> services
> >     of system1 on system2 but want to access
> system2
> >     with same IP.
> > 
> >      what is tried was
> >      create keys (on machine running KDC) for
> >      for all machines in my subnet.
> >      
> >      After this take an ip and register it with
> DNS 
> >      with some name say NFS.domain.
> >      Create key (on machine running kdc) for
> > NFS.domain
> >      For machines those which will run nfs server
> , 
> >      ktadd respective machine key + ktadd
> NFS.domain
> >      key and copy keytab file to respective
> machines.
> >      For all other machines just ktadd respective 
> >      machine key and copy keytab file to
> respective 
> >      machines.
> >      In short , 
> >      on machine running nfs server,
> >      #klist -k /etc/krb5.keytab
> >       2 nfs/<hostname.domainname>@<realm>
> >       2 nfs/NFS.domainname@<realm>
> > 
> >      for other machines(nfs clients)
> >      #klist -k /etc/krb5.keytab
> >       2 nfs/<hostname.domainname>@<realm>
> >      
> >      but when i try to mount exported filesystems
> >      from nfs client , 
> >      using 
> >      #mount -t nfs4 -osec=krb5 NFS.doaminname:/
> /share
> > 
> >       Failed to create krb5 context for user with
> uid
> > 0
> >       with any credential cache for server 
> >       NFS.domainname 
> >  
> >       Everything works well if genuine server name
> is 
> >       used for mounting.Problem arises only when
> >       (virtual ip) NFS.domainname is used.
> > 
> >    thanks,
> >  --kiran
> >      
> > 
> > 
> > --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > 
> > > Missed one thing.
> > >  I used kadmin.local to create principals(on
> machine
> > > runnnig KDC)
> > > 
> > > thanks,
> > >  --kiran
> > > --- mehta kiran <kiranmehta1981@yahoo.com>
> wrote:
> > > > Hi Kevin , 
> > > >     I created new database and new principal
> and 
> > > >     keytab files.
> > > > 
> > > >     Kinit does not accept passowrd for
> principals
> > > >     nfs/vcslinux5.vxindia.veritas.com
> > > >     and
> > > >     nfs/vcslinux6.vxindia.veritas.com
> > > > 
> > > >     Please let me know if i can provide some
> > > > info(and
> > > > how) (logs) which can point out the problem
> > > > 
> > > > thanks,
> > > >  --kiran
> > > > 
> > > > 
> > > > 
> > > > 
> > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > > 
> > > > > > Hi , 
> > > > > >              I tried things as directed by
> > > Trond
> > > > > in
> > > > > >     his previous mail and everything
> seemed to
> > > > > work
> > > > > >     fine initally. but when i rebooted
> system
> > > , 
> > > > > >     it started giving error whenever i
> start
> > > > > rpc.gssd
> > > > > >     on client machine.
> > > > > >     Error is :
> > > > > > 
> > > > > > [root@vcslinux6 ~]# Mar 21 14:47:27
> vcslinux6
> > > > > > rpc.gssd[3487]: WARNING: Key table entry
> not
> > > > found
> > > > > > while getting initial ticket for principal
> > > > > >
> > > > >
> > > >
> > >
> >
>
'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > > ERROR:
> > > > > No
> > > > > > usable machine credentials obtained
> > > > > >   
> > > > > >      
> > > > > > while #klist -k /etc/krb5.keytab gives
> > > > > > 2
> > > > > >
> > > > >
> > > >
> > >
> >
>
nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > 
> > > > > 
> > > > > I'm confused by this, but I do not know what
> to
> > > > look
> > > > > for.
> > > > > 
> > > > > 
> > > > > > I even tried by recreating kerberos
> database
> > > but
> > > > > in
> > > > > > vain. I still get the same error.
> > > > > 
> > > > > If you recreated the Kerberos database, you
> need
> > > > to
> > > > > create new principals and keytab files.  Did
> you
> > > > do
> > > > > this?
> > > > > 
> > > > > > I observed one more thing.
> > > > > > Whenver i create principal(other then
> > > > root/admin)
> > > > > ,
> > > > > > passwords i enter for them during their
> > > creation
> > > > > > are not accepted by kinit.
> > > > > 
> > > > > This is also strange and _might_ be related.
> 
> > > How
> > > > > are
> > > > > you creating the principals -- using kadmin
> or
> > > > > kadmin.local?
> > > > > Which principals are you referring to here?
> > > > > 
> > > > > > 
> > > > > > Please let me know where i went wrong.
> > > > > > 
> > > > > > --thanks,
> > > > > >  --kiran
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

The server code is expecting a ticket for 'nfs/vcslinux6.vxindia.veritas
.com', but it is getting a ticket for 'nfs/vcsnfs.vxindia.veritas.com'. 
 This is a limitation of the rpcsec_gss library.  This is on my list of 
things to try and change.

Kevin


> Hi Kevin ,
> 
>      As you told , kerberos library does reverse
>      lookup to get hostname to determine the
>      principal it needs ticket for.
>      I followed the steps as mentioned in my previous
>      mail so that i can access nfs using same ip on
>      system2 if system1 crashes.
>      while mounting i used NFS.domainname(entry
>      i added to DNS : NFS.domainname <virtual_ip>)
>      As key for NFS.domainname is present on nfs
>      server shouldn't mount be successful?
>      
>       But this is not the case.
>       Messages on server(vcslinux6)
>       
> Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
> gss_accept_sec_context failed
> Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: ERROR:
> GSS-API: error in handle_nullreq:
> gss_accept_sec_context(): Miscellaneous failure -
> Wrong principal in request
> Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
> failed to write message
> Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
> session opened for user root by (uid=0)
> 
> 
>     Messsages on client (vcslinux5)
> 
> [root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
> rpc.gssd[4117]: WARNING: Failed to create krb5 context
> for user with uid 0 with any credentials cache for
> server vcsnfs.vxindia.veritas.com
> 
>    Message on KDC(vcslinux1)
> 
> Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> for krbtgt/VXINDIA.VERITAS.COM@VXINDIA.VERITAS.COM
> Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> for nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM
> Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> for nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM
> 
>   
>  
> thanks,
>  --kiran
> 
> 
> 
>     
> --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> 
> > I'm happy to hear the normal case is working.
> > 
> > The Kerberos library code does a reverse lookup of
> > the host it is 
> > trying to connect to in order to obtain the "real"
> > host name.  It uses 
> > that name to determine what principal it needs a
> > ticket for.  It would 
> > help to see the exact messages from rpc.gssd,
> > rpc.svcgssd, and from the 
> > KDC.
> > 
> > 
> > > Hi Kevin , 
> > >     God knows how , but everyting is working fine
> > now.
> > >     I could not figure out why was it failing
> > earlier.
> > >     
> > >     I have one question.
> > >     Is is possible to use common ip to access 
> > >     machines when kerberos is running .i:e
> > >     I want to access system1 with an ip say IP.
> > >     when system1 crashes , i want to start
> > services
> > >     of system1 on system2 but want to access
> > system2
> > >     with same IP.
> > > 
> > >      what is tried was
> > >      create keys (on machine running KDC) for
> > >      for all machines in my subnet.
> > >      
> > >      After this take an ip and register it with
> > DNS 
> > >      with some name say NFS.domain.
> > >      Create key (on machine running kdc) for
> > > NFS.domain
> > >      For machines those which will run nfs server
> > , 
> > >      ktadd respective machine key + ktadd
> > NFS.domain
> > >      key and copy keytab file to respective
> > machines.
> > >      For all other machines just ktadd respective 
> > >      machine key and copy keytab file to
> > respective 
> > >      machines.
> > >      In short , 
> > >      on machine running nfs server,
> > >      #klist -k /etc/krb5.keytab
> > >       2 nfs/<hostname.domainname>@<realm>
> > >       2 nfs/NFS.domainname@<realm>
> > > 
> > >      for other machines(nfs clients)
> > >      #klist -k /etc/krb5.keytab
> > >       2 nfs/<hostname.domainname>@<realm>
> > >      
> > >      but when i try to mount exported filesystems
> > >      from nfs client , 
> > >      using 
> > >      #mount -t nfs4 -osec=krb5 NFS.doaminname:/
> > /share
> > > 
> > >       Failed to create krb5 context for user with
> > uid
> > > 0
> > >       with any credential cache for server 
> > >       NFS.domainname 
> > >  
> > >       Everything works well if genuine server name
> > is 
> > >       used for mounting.Problem arises only when
> > >       (virtual ip) NFS.domainname is used.
> > > 
> > >    thanks,
> > >  --kiran
> > >      
> > > 
> > > 
> > > --- mehta kiran <kiranmehta1981@yahoo.com> wrote:
> > > 
> > > > Missed one thing.
> > > >  I used kadmin.local to create principals(on
> > machine
> > > > runnnig KDC)
> > > > 
> > > > thanks,
> > > >  --kiran
> > > > --- mehta kiran <kiranmehta1981@yahoo.com>
> > wrote:
> > > > > Hi Kevin , 
> > > > >     I created new database and new principal
> > and 
> > > > >     keytab files.
> > > > > 
> > > > >     Kinit does not accept passowrd for
> > principals
> > > > >     nfs/vcslinux5.vxindia.veritas.com
> > > > >     and
> > > > >     nfs/vcslinux6.vxindia.veritas.com
> > > > > 
> > > > >     Please let me know if i can provide some
> > > > > info(and
> > > > > how) (logs) which can point out the problem
> > > > > 
> > > > > thanks,
> > > > >  --kiran
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > > > > > > 
> > > > > > > Hi , 
> > > > > > >              I tried things as directed by
> > > > Trond
> > > > > > in
> > > > > > >     his previous mail and everything
> > seemed to
> > > > > > work
> > > > > > >     fine initally. but when i rebooted
> > system
> > > > , 
> > > > > > >     it started giving error whenever i
> > start
> > > > > > rpc.gssd
> > > > > > >     on client machine.
> > > > > > >     Error is :
> > > > > > > 
> > > > > > > [root@vcslinux6 ~]# Mar 21 14:47:27
> > vcslinux6
> > > > > > > rpc.gssd[3487]: WARNING: Key table entry
> > not
> > > > > found
> > > > > > > while getting initial ticket for principal
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 'nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM'
> > > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > > > ERROR:
> > > > > > No
> > > > > > > usable machine credentials obtained
> > > > > > >   
> > > > > > >      
> > > > > > > while #klist -k /etc/krb5.keytab gives
> > > > > > > 2
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> nfs/vcslinux6.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > > > > > 
> > > > > > 
> > > > > > I'm confused by this, but I do not know what
> > to
> > > > > look
> > > > > > for.
> > > > > > 
> > > > > > 
> > > > > > > I even tried by recreating kerberos
> > database
> > > > but
> > > > > > in
> > > > > > > vain. I still get the same error.
> > > > > > 
> > > > > > If you recreated the Kerberos database, you
> > need
> > > > > to
> > > > > > create new principals and keytab files.  Did
> > you
> > > > > do
> > > > > > this?
> > > > > > 
> > > > > > > I observed one more thing.
> > > > > > > Whenver i create principal(other then
> > > > > root/admin)
> > > > > > ,
> > > > > > > passwords i enter for them during their
> > > > creation
> > > > > > > are not accepted by kinit.
> > > > > > 
> > > > > > This is also strange and _might_ be related.
> > 
> > > > How
> > > > > > are
> > > > > > you creating the principals -- using kadmin
> > or
> > > > > > kadmin.local?
> > > > > > Which principals are you referring to here?
> > > > > > 
> > > > > > > 
> > > > > > > Please let me know where i went wrong.
> > > > > > > 
> > > > > > > --thanks,
> > > > > > >  --kiran
> > 
> === message truncated ===
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/ 




-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

Hi Kevin , 
 This are some of the lines from your previos mails.
 Sorry , but i could not digest this lines.
------------------

if you create a principal using a password, you should
be able to 
authenticate as that pricipal using that password. 
However, once you 
do a ktadd for that principal the password will no
longer work.  See my 
previous message about what ktadd does.



P.S.  Here is what the ktadd command does:
- It generates a new random key value for the
  principal (with a new key version)
- It puts this new key into the Kerberos DB, replacing
  any previous key with a lower kvno
- It puts this new key into the keytab file that was
  specified

Therefore, each time you run ktadd, the old keytab
entry
becomes obsolete.
---------------------
Why(reason)should password become ineffective after
ktadd ?And if that is the case , why does it ask for
password during addprinc? continuing with this:what is
use of this password then?

thanks,
 --kiran






		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[mehta kiran]

So this will work sometime later !!!! gr8
Thanks a lot , Kevin

  
--- Kevin Coffman <kwc@citi.umich.edu> wrote:

> The server code is expecting a ticket for
> 'nfs/vcslinux6.vxindia.veritas
> .com', but it is getting a ticket for
> 'nfs/vcsnfs.vxindia.veritas.com'. 
>  This is a limitation of the rpcsec_gss library. 
> This is on my list of 
> things to try and change.
> 
> Kevin
> 
> 
> > Hi Kevin ,
> > 
> >      As you told , kerberos library does reverse
> >      lookup to get hostname to determine the
> >      principal it needs ticket for.
> >      I followed the steps as mentioned in my
> previous
> >      mail so that i can access nfs using same ip
> on
> >      system2 if system1 crashes.
> >      while mounting i used NFS.domainname(entry
> >      i added to DNS : NFS.domainname <virtual_ip>)
> >      As key for NFS.domainname is present on nfs
> >      server shouldn't mount be successful?
> >      
> >       But this is not the case.
> >       Messages on server(vcslinux6)
> >       
> > Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]:
> WARNING:
> > gss_accept_sec_context failed
> > Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]:
> ERROR:
> > GSS-API: error in handle_nullreq:
> > gss_accept_sec_context(): Miscellaneous failure -
> > Wrong principal in request
> > Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]:
> WARNING:
> > failed to write message
> > Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
> > session opened for user root by (uid=0)
> > 
> > 
> >     Messsages on client (vcslinux5)
> > 
> > [root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
> > rpc.gssd[4117]: WARNING: Failed to create krb5
> context
> > for user with uid 0 with any credentials cache for
> > server vcsnfs.vxindia.veritas.com
> > 
> >    Message on KDC(vcslinux1)
> > 
> > Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> > authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > for krbtgt/VXINDIA.VERITAS.COM@VXINDIA.VERITAS.COM
> > Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ
> (7
> > etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> > authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > for
> nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ
> (7
> > etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> > authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> >
>
nfs/vcslinux5.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > for
> nfs/vcsnfs.vxindia.veritas.com@VXINDIA.VERITAS.COM
> > 
> >   
> >  
> > thanks,
> >  --kiran
> > 
> > 
> > 
> >     
> > --- Kevin Coffman <kwc@citi.umich.edu> wrote:
> > 
> > > I'm happy to hear the normal case is working.
> > > 
> > > The Kerberos library code does a reverse lookup
> of
> > > the host it is 
> > > trying to connect to in order to obtain the
> "real"
> > > host name.  It uses 
> > > that name to determine what principal it needs a
> > > ticket for.  It would 
> > > help to see the exact messages from rpc.gssd,
> > > rpc.svcgssd, and from the 
> > > KDC.
> > > 
> > > 
> > > > Hi Kevin , 
> > > >     God knows how , but everyting is working
> fine
> > > now.
> > > >     I could not figure out why was it failing
> > > earlier.
> > > >     
> > > >     I have one question.
> > > >     Is is possible to use common ip to access 
> > > >     machines when kerberos is running .i:e
> > > >     I want to access system1 with an ip say
> IP.
> > > >     when system1 crashes , i want to start
> > > services
> > > >     of system1 on system2 but want to access
> > > system2
> > > >     with same IP.
> > > > 
> > > >      what is tried was
> > > >      create keys (on machine running KDC) for
> > > >      for all machines in my subnet.
> > > >      
> > > >      After this take an ip and register it
> with
> > > DNS 
> > > >      with some name say NFS.domain.
> > > >      Create key (on machine running kdc) for
> > > > NFS.domain
> > > >      For machines those which will run nfs
> server
> > > , 
> > > >      ktadd respective machine key + ktadd
> > > NFS.domain
> > > >      key and copy keytab file to respective
> > > machines.
> > > >      For all other machines just ktadd
> respective 
> > > >      machine key and copy keytab file to
> > > respective 
> > > >      machines.
> > > >      In short , 
> > > >      on machine running nfs server,
> > > >      #klist -k /etc/krb5.keytab
> > > >       2 nfs/<hostname.domainname>@<realm>
> > > >       2 nfs/NFS.domainname@<realm>
> > > > 
> > > >      for other machines(nfs clients)
> > > >      #klist -k /etc/krb5.keytab
> > > >       2 nfs/<hostname.domainname>@<realm>
> > > >      
> > > >      but when i try to mount exported
> filesystems
> > > >      from nfs client , 
> > > >      using 
> > > >      #mount -t nfs4 -osec=krb5
> NFS.doaminname:/
> > > /share
> > > > 
> > > >       Failed to create krb5 context for user
> with
> > > uid
> > > > 0
> > > >       with any credential cache for server 
> > > >       NFS.domainname 
> > > >  
> > > >       Everything works well if genuine server
> name
> > > is 
> > > >       used for mounting.Problem arises only
> when
> > > >       (virtual ip) NFS.domainname is used.
> > > > 
> > > >    thanks,
> > > >  --kiran
> > > >      
> > > > 
> > > > 
> > > > --- mehta kiran <kiranmehta1981@yahoo.com>
> wrote:
> > > > 
> > > > > Missed one thing.
> > > > >  I used kadmin.local to create principals(on
> > > machine
> > > > > runnnig KDC)
> > > > > 
> > > > > thanks,
> > > > >  --kiran
> > > > > --- mehta kiran <kiranmehta1981@yahoo.com>
> > > wrote:
> > > > > > Hi Kevin , 
> > > > > >     I created new database and new
> principal
> > > and 
> > > > > >     keytab files.
> > > > > > 
> > > > > >     Kinit does not accept passowrd for
> > > principals
> > > > > >     nfs/vcslinux5.vxindia.veritas.com
> > > > > >     and
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: problem mounting using NFSv4 when using -o sec=krb5 option

[Kevin Coffman]

By convention, when creating a _service principal_, the addprinc 
"-randkey" option is used.  This option says to generate a random value 
for the initial key instead of prompting for a password.

When you do a ktadd, a new random key for that principal is generated 
and put into both the Kerberos Database and the keytab file.  Any 
previous keys for that principal become obsolete, including any keys 
generated from a password.

So, giving a password when creating a _service principal_ is useless 
because the key generated from that password becomes obsolete as soon 
as the ktadd command is done.

 
> Hi Kevin , 
>  This are some of the lines from your previos mails.
>  Sorry , but i could not digest this lines.
> ------------------
> 
> if you create a principal using a password, you should
> be able to 
> authenticate as that pricipal using that password. 
> However, once you 
> do a ktadd for that principal the password will no
> longer work.  See my 
> previous message about what ktadd does.
> 
> 
> 
> P.S.  Here is what the ktadd command does:
> - It generates a new random key value for the
>   principal (with a new key version)
> - It puts this new key into the Kerberos DB, replacing
>   any previous key with a lower kvno
> - It puts this new key into the keytab file that was
>   specified
> 
> Therefore, each time you run ktadd, the old keytab
> entry
> becomes obsolete.
> ---------------------
> Why(reason)should password become ineffective after
> ktadd ?And if that is the case , why does it ask for
> password during addprinc? continuing with this:what is
> use of this password then?
> 
> thanks,
>  --kiran
> 
> 
> 
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/ 




-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs