Missed one thing.
I used kadmin.local to create principals(on machine
runnnig KDC)
thanks,
--kiran
--- mehta kiran <[email protected]> wrote:
> Hi Kevin ,
> I created new database and new principal and
> keytab files.
>
> Kinit does not accept passowrd for principals
> nfs/vcslinux5.vxindia.veritas.com
> and
> nfs/vcslinux6.vxindia.veritas.com
>
> Please let me know if i can provide some
> info(and
> how) (logs) which can point out the problem
>
> thanks,
> --kiran
>
>
>
>
> --- Kevin Coffman <[email protected]> wrote:
> > >
> > > Hi ,
> > > I tried things as directed by Trond
> > in
> > > his previous mail and everything seemed to
> > work
> > > fine initally. but when i rebooted system ,
> > > it started giving error whenever i start
> > rpc.gssd
> > > on client machine.
> > > Error is :
> > >
> > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > rpc.gssd[3487]: WARNING: Key table entry not
> found
> > > while getting initial ticket for principal
> > >
> >
>
'nfs/[email protected]'
> > > from keytab 'FILE:/etc/krb5.keytab'
> > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]: ERROR:
> > No
> > > usable machine credentials obtained
> > >
> > >
> > > while #klist -k /etc/krb5.keytab gives
> > > 2
> > >
> >
>
nfs/[email protected]
> >
> >
> > I'm confused by this, but I do not know what to
> look
> > for.
> >
> >
> > > I even tried by recreating kerberos database but
> > in
> > > vain. I still get the same error.
> >
> > If you recreated the Kerberos database, you need
> to
> > create new principals and keytab files. Did you
> do
> > this?
> >
> > > I observed one more thing.
> > > Whenver i create principal(other then
> root/admin)
> > ,
> > > passwords i enter for them during their creation
> > > are not accepted by kinit.
> >
> > This is also strange and _might_ be related. How
> > are
> > you creating the principals -- using kadmin or
> > kadmin.local?
> > Which principals are you referring to here?
> >
> > >
> > > Please let me know where i went wrong.
> > >
> > > --thanks,
> > > --kiran
> >
> >
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
>
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist - [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfs
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kevin ,
God knows how , but everyting is working fine now.
I could not figure out why was it failing earlier.
I have one question.
Is is possible to use common ip to access
machines when kerberos is running .i:e
I want to access system1 with an ip say IP.
when system1 crashes , i want to start services
of system1 on system2 but want to access system2
with same IP.
what is tried was
create keys (on machine running KDC) for
for all machines in my subnet.
After this take an ip and register it with DNS
with some name say NFS.domain.
Create key (on machine running kdc) for
NFS.domain
For machines those which will run nfs server ,
ktadd respective machine key + ktadd NFS.domain
key and copy keytab file to respective machines.
For all other machines just ktadd respective
machine key and copy keytab file to respective
machines.
In short ,
on machine running nfs server,
#klist -k /etc/krb5.keytab
2 nfs/<hostname.domainname>@<realm>
2 nfs/NFS.domainname@<realm>
for other machines(nfs clients)
#klist -k /etc/krb5.keytab
2 nfs/<hostname.domainname>@<realm>
but when i try to mount exported filesystems
from nfs client ,
using
#mount -t nfs4 -osec=krb5 NFS.doaminname:/ /share
Failed to create krb5 context for user with uid
0
with any credential cache for server
NFS.domainname
Everything works well if genuine server name is
used for mounting.Problem arises only when
(virtual ip) NFS.domainname is used.
thanks,
--kiran
--- mehta kiran <[email protected]> wrote:
> Missed one thing.
> I used kadmin.local to create principals(on machine
> runnnig KDC)
>
> thanks,
> --kiran
> --- mehta kiran <[email protected]> wrote:
> > Hi Kevin ,
> > I created new database and new principal and
> > keytab files.
> >
> > Kinit does not accept passowrd for principals
> > nfs/vcslinux5.vxindia.veritas.com
> > and
> > nfs/vcslinux6.vxindia.veritas.com
> >
> > Please let me know if i can provide some
> > info(and
> > how) (logs) which can point out the problem
> >
> > thanks,
> > --kiran
> >
> >
> >
> >
> > --- Kevin Coffman <[email protected]> wrote:
> > > >
> > > > Hi ,
> > > > I tried things as directed by
> Trond
> > > in
> > > > his previous mail and everything seemed to
> > > work
> > > > fine initally. but when i rebooted system
> ,
> > > > it started giving error whenever i start
> > > rpc.gssd
> > > > on client machine.
> > > > Error is :
> > > >
> > > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > > rpc.gssd[3487]: WARNING: Key table entry not
> > found
> > > > while getting initial ticket for principal
> > > >
> > >
> >
>
'nfs/[email protected]'
> > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> ERROR:
> > > No
> > > > usable machine credentials obtained
> > > >
> > > >
> > > > while #klist -k /etc/krb5.keytab gives
> > > > 2
> > > >
> > >
> >
>
nfs/[email protected]
> > >
> > >
> > > I'm confused by this, but I do not know what to
> > look
> > > for.
> > >
> > >
> > > > I even tried by recreating kerberos database
> but
> > > in
> > > > vain. I still get the same error.
> > >
> > > If you recreated the Kerberos database, you need
> > to
> > > create new principals and keytab files. Did you
> > do
> > > this?
> > >
> > > > I observed one more thing.
> > > > Whenver i create principal(other then
> > root/admin)
> > > ,
> > > > passwords i enter for them during their
> creation
> > > > are not accepted by kinit.
> > >
> > > This is also strange and _might_ be related.
> How
> > > are
> > > you creating the principals -- using kadmin or
> > > kadmin.local?
> > > Which principals are you referring to here?
> > >
> > > >
> > > > Please let me know where i went wrong.
> > > >
> > > > --thanks,
> > > > --kiran
> > >
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > http://mail.yahoo.com
> >
> >
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist - [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfs
> >
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
>
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist - [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfs
>
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
I'm happy to hear the normal case is working.
The Kerberos library code does a reverse lookup of the host it is
trying to connect to in order to obtain the "real" host name. It uses
that name to determine what principal it needs a ticket for. It would
help to see the exact messages from rpc.gssd, rpc.svcgssd, and from the
KDC.
> Hi Kevin ,
> God knows how , but everyting is working fine now.
> I could not figure out why was it failing earlier.
>
> I have one question.
> Is is possible to use common ip to access
> machines when kerberos is running .i:e
> I want to access system1 with an ip say IP.
> when system1 crashes , i want to start services
> of system1 on system2 but want to access system2
> with same IP.
>
> what is tried was
> create keys (on machine running KDC) for
> for all machines in my subnet.
>
> After this take an ip and register it with DNS
> with some name say NFS.domain.
> Create key (on machine running kdc) for
> NFS.domain
> For machines those which will run nfs server ,
> ktadd respective machine key + ktadd NFS.domain
> key and copy keytab file to respective machines.
> For all other machines just ktadd respective
> machine key and copy keytab file to respective
> machines.
> In short ,
> on machine running nfs server,
> #klist -k /etc/krb5.keytab
> 2 nfs/<hostname.domainname>@<realm>
> 2 nfs/NFS.domainname@<realm>
>
> for other machines(nfs clients)
> #klist -k /etc/krb5.keytab
> 2 nfs/<hostname.domainname>@<realm>
>
> but when i try to mount exported filesystems
> from nfs client ,
> using
> #mount -t nfs4 -osec=krb5 NFS.doaminname:/ /share
>
> Failed to create krb5 context for user with uid
> 0
> with any credential cache for server
> NFS.domainname
>
> Everything works well if genuine server name is
> used for mounting.Problem arises only when
> (virtual ip) NFS.domainname is used.
>
> thanks,
> --kiran
>
>
>
> --- mehta kiran <[email protected]> wrote:
>
> > Missed one thing.
> > I used kadmin.local to create principals(on machine
> > runnnig KDC)
> >
> > thanks,
> > --kiran
> > --- mehta kiran <[email protected]> wrote:
> > > Hi Kevin ,
> > > I created new database and new principal and
> > > keytab files.
> > >
> > > Kinit does not accept passowrd for principals
> > > nfs/vcslinux5.vxindia.veritas.com
> > > and
> > > nfs/vcslinux6.vxindia.veritas.com
> > >
> > > Please let me know if i can provide some
> > > info(and
> > > how) (logs) which can point out the problem
> > >
> > > thanks,
> > > --kiran
> > >
> > >
> > >
> > >
> > > --- Kevin Coffman <[email protected]> wrote:
> > > > >
> > > > > Hi ,
> > > > > I tried things as directed by
> > Trond
> > > > in
> > > > > his previous mail and everything seemed to
> > > > work
> > > > > fine initally. but when i rebooted system
> > ,
> > > > > it started giving error whenever i start
> > > > rpc.gssd
> > > > > on client machine.
> > > > > Error is :
> > > > >
> > > > > [root@vcslinux6 ~]# Mar 21 14:47:27 vcslinux6
> > > > > rpc.gssd[3487]: WARNING: Key table entry not
> > > found
> > > > > while getting initial ticket for principal
> > > > >
> > > >
> > >
> >
> 'nfs/[email protected]'
> > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > ERROR:
> > > > No
> > > > > usable machine credentials obtained
> > > > >
> > > > >
> > > > > while #klist -k /etc/krb5.keytab gives
> > > > > 2
> > > > >
> > > >
> > >
> >
> nfs/[email protected]
> > > >
> > > >
> > > > I'm confused by this, but I do not know what to
> > > look
> > > > for.
> > > >
> > > >
> > > > > I even tried by recreating kerberos database
> > but
> > > > in
> > > > > vain. I still get the same error.
> > > >
> > > > If you recreated the Kerberos database, you need
> > > to
> > > > create new principals and keytab files. Did you
> > > do
> > > > this?
> > > >
> > > > > I observed one more thing.
> > > > > Whenver i create principal(other then
> > > root/admin)
> > > > ,
> > > > > passwords i enter for them during their
> > creation
> > > > > are not accepted by kinit.
> > > >
> > > > This is also strange and _might_ be related.
> > How
> > > > are
> > > > you creating the principals -- using kadmin or
> > > > kadmin.local?
> > > > Which principals are you referring to here?
> > > >
> > > > >
> > > > > Please let me know where i went wrong.
> > > > >
> > > > > --thanks,
> > > > > --kiran
> > > >
> > > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam
> > > protection around
> > > http://mail.yahoo.com
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> > > Products from real users.
> > > Discover which products truly live up to the hype.
> > > Start reading now.
> > >
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > NFS maillist - [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/nfs
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > http://mail.yahoo.com
> >
> >
> >
> -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> > Products from real users.
> > Discover which products truly live up to the hype.
> > Start reading now.
> >
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > NFS maillist - [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfs
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> NFS maillist - [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfs
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
Hi Kevin ,
As you told , kerberos library does reverse
lookup to get hostname to determine the
principal it needs ticket for.
I followed the steps as mentioned in my previous
mail so that i can access nfs using same ip on
system2 if system1 crashes.
while mounting i used NFS.domainname(entry
i added to DNS : NFS.domainname <virtual_ip>)
As key for NFS.domainname is present on nfs
server shouldn't mount be successful?
But this is not the case.
Messages on server(vcslinux6)
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
gss_accept_sec_context failed
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: ERROR:
GSS-API: error in handle_nullreq:
gss_accept_sec_context(): Miscellaneous failure -
Wrong principal in request
Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
failed to write message
Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
session opened for user root by (uid=0)
Messsages on client (vcslinux5)
[root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
rpc.gssd[4117]: WARNING: Failed to create krb5 context
for user with uid 0 with any credentials cache for
server vcsnfs.vxindia.veritas.com
Message on KDC(vcslinux1)
Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
nfs/[email protected]
for krbtgt/[email protected]
Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
nfs/[email protected]
for nfs/[email protected]
Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
nfs/[email protected]
for nfs/[email protected]
thanks,
--kiran
--- Kevin Coffman <[email protected]> wrote:
> I'm happy to hear the normal case is working.
>
> The Kerberos library code does a reverse lookup of
> the host it is
> trying to connect to in order to obtain the "real"
> host name. It uses
> that name to determine what principal it needs a
> ticket for. It would
> help to see the exact messages from rpc.gssd,
> rpc.svcgssd, and from the
> KDC.
>
>
> > Hi Kevin ,
> > God knows how , but everyting is working fine
> now.
> > I could not figure out why was it failing
> earlier.
> >
> > I have one question.
> > Is is possible to use common ip to access
> > machines when kerberos is running .i:e
> > I want to access system1 with an ip say IP.
> > when system1 crashes , i want to start
> services
> > of system1 on system2 but want to access
> system2
> > with same IP.
> >
> > what is tried was
> > create keys (on machine running KDC) for
> > for all machines in my subnet.
> >
> > After this take an ip and register it with
> DNS
> > with some name say NFS.domain.
> > Create key (on machine running kdc) for
> > NFS.domain
> > For machines those which will run nfs server
> ,
> > ktadd respective machine key + ktadd
> NFS.domain
> > key and copy keytab file to respective
> machines.
> > For all other machines just ktadd respective
> > machine key and copy keytab file to
> respective
> > machines.
> > In short ,
> > on machine running nfs server,
> > #klist -k /etc/krb5.keytab
> > 2 nfs/<hostname.domainname>@<realm>
> > 2 nfs/NFS.domainname@<realm>
> >
> > for other machines(nfs clients)
> > #klist -k /etc/krb5.keytab
> > 2 nfs/<hostname.domainname>@<realm>
> >
> > but when i try to mount exported filesystems
> > from nfs client ,
> > using
> > #mount -t nfs4 -osec=krb5 NFS.doaminname:/
> /share
> >
> > Failed to create krb5 context for user with
> uid
> > 0
> > with any credential cache for server
> > NFS.domainname
> >
> > Everything works well if genuine server name
> is
> > used for mounting.Problem arises only when
> > (virtual ip) NFS.domainname is used.
> >
> > thanks,
> > --kiran
> >
> >
> >
> > --- mehta kiran <[email protected]> wrote:
> >
> > > Missed one thing.
> > > I used kadmin.local to create principals(on
> machine
> > > runnnig KDC)
> > >
> > > thanks,
> > > --kiran
> > > --- mehta kiran <[email protected]>
> wrote:
> > > > Hi Kevin ,
> > > > I created new database and new principal
> and
> > > > keytab files.
> > > >
> > > > Kinit does not accept passowrd for
> principals
> > > > nfs/vcslinux5.vxindia.veritas.com
> > > > and
> > > > nfs/vcslinux6.vxindia.veritas.com
> > > >
> > > > Please let me know if i can provide some
> > > > info(and
> > > > how) (logs) which can point out the problem
> > > >
> > > > thanks,
> > > > --kiran
> > > >
> > > >
> > > >
> > > >
> > > > --- Kevin Coffman <[email protected]> wrote:
> > > > > >
> > > > > > Hi ,
> > > > > > I tried things as directed by
> > > Trond
> > > > > in
> > > > > > his previous mail and everything
> seemed to
> > > > > work
> > > > > > fine initally. but when i rebooted
> system
> > > ,
> > > > > > it started giving error whenever i
> start
> > > > > rpc.gssd
> > > > > > on client machine.
> > > > > > Error is :
> > > > > >
> > > > > > [root@vcslinux6 ~]# Mar 21 14:47:27
> vcslinux6
> > > > > > rpc.gssd[3487]: WARNING: Key table entry
> not
> > > > found
> > > > > > while getting initial ticket for principal
> > > > > >
> > > > >
> > > >
> > >
> >
>
'nfs/[email protected]'
> > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > > ERROR:
> > > > > No
> > > > > > usable machine credentials obtained
> > > > > >
> > > > > >
> > > > > > while #klist -k /etc/krb5.keytab gives
> > > > > > 2
> > > > > >
> > > > >
> > > >
> > >
> >
>
nfs/[email protected]
> > > > >
> > > > >
> > > > > I'm confused by this, but I do not know what
> to
> > > > look
> > > > > for.
> > > > >
> > > > >
> > > > > > I even tried by recreating kerberos
> database
> > > but
> > > > > in
> > > > > > vain. I still get the same error.
> > > > >
> > > > > If you recreated the Kerberos database, you
> need
> > > > to
> > > > > create new principals and keytab files. Did
> you
> > > > do
> > > > > this?
> > > > >
> > > > > > I observed one more thing.
> > > > > > Whenver i create principal(other then
> > > > root/admin)
> > > > > ,
> > > > > > passwords i enter for them during their
> > > creation
> > > > > > are not accepted by kinit.
> > > > >
> > > > > This is also strange and _might_ be related.
>
> > > How
> > > > > are
> > > > > you creating the principals -- using kadmin
> or
> > > > > kadmin.local?
> > > > > Which principals are you referring to here?
> > > > >
> > > > > >
> > > > > > Please let me know where i went wrong.
> > > > > >
> > > > > > --thanks,
> > > > > > --kiran
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
The server code is expecting a ticket for 'nfs/vcslinux6.vxindia.veritas
.com', but it is getting a ticket for 'nfs/vcsnfs.vxindia.veritas.com'.
This is a limitation of the rpcsec_gss library. This is on my list of
things to try and change.
Kevin
> Hi Kevin ,
>
> As you told , kerberos library does reverse
> lookup to get hostname to determine the
> principal it needs ticket for.
> I followed the steps as mentioned in my previous
> mail so that i can access nfs using same ip on
> system2 if system1 crashes.
> while mounting i used NFS.domainname(entry
> i added to DNS : NFS.domainname <virtual_ip>)
> As key for NFS.domainname is present on nfs
> server shouldn't mount be successful?
>
> But this is not the case.
> Messages on server(vcslinux6)
>
> Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
> gss_accept_sec_context failed
> Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: ERROR:
> GSS-API: error in handle_nullreq:
> gss_accept_sec_context(): Miscellaneous failure -
> Wrong principal in request
> Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]: WARNING:
> failed to write message
> Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
> session opened for user root by (uid=0)
>
>
> Messsages on client (vcslinux5)
>
> [root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
> rpc.gssd[4117]: WARNING: Failed to create krb5 context
> for user with uid 0 with any credentials cache for
> server vcsnfs.vxindia.veritas.com
>
> Message on KDC(vcslinux1)
>
> Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
> nfs/[email protected]
> for krbtgt/[email protected]
> Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> nfs/[email protected]
> for nfs/[email protected]
> Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> nfs/[email protected]
> for nfs/[email protected]
>
>
>
> thanks,
> --kiran
>
>
>
>
> --- Kevin Coffman <[email protected]> wrote:
>
> > I'm happy to hear the normal case is working.
> >
> > The Kerberos library code does a reverse lookup of
> > the host it is
> > trying to connect to in order to obtain the "real"
> > host name. It uses
> > that name to determine what principal it needs a
> > ticket for. It would
> > help to see the exact messages from rpc.gssd,
> > rpc.svcgssd, and from the
> > KDC.
> >
> >
> > > Hi Kevin ,
> > > God knows how , but everyting is working fine
> > now.
> > > I could not figure out why was it failing
> > earlier.
> > >
> > > I have one question.
> > > Is is possible to use common ip to access
> > > machines when kerberos is running .i:e
> > > I want to access system1 with an ip say IP.
> > > when system1 crashes , i want to start
> > services
> > > of system1 on system2 but want to access
> > system2
> > > with same IP.
> > >
> > > what is tried was
> > > create keys (on machine running KDC) for
> > > for all machines in my subnet.
> > >
> > > After this take an ip and register it with
> > DNS
> > > with some name say NFS.domain.
> > > Create key (on machine running kdc) for
> > > NFS.domain
> > > For machines those which will run nfs server
> > ,
> > > ktadd respective machine key + ktadd
> > NFS.domain
> > > key and copy keytab file to respective
> > machines.
> > > For all other machines just ktadd respective
> > > machine key and copy keytab file to
> > respective
> > > machines.
> > > In short ,
> > > on machine running nfs server,
> > > #klist -k /etc/krb5.keytab
> > > 2 nfs/<hostname.domainname>@<realm>
> > > 2 nfs/NFS.domainname@<realm>
> > >
> > > for other machines(nfs clients)
> > > #klist -k /etc/krb5.keytab
> > > 2 nfs/<hostname.domainname>@<realm>
> > >
> > > but when i try to mount exported filesystems
> > > from nfs client ,
> > > using
> > > #mount -t nfs4 -osec=krb5 NFS.doaminname:/
> > /share
> > >
> > > Failed to create krb5 context for user with
> > uid
> > > 0
> > > with any credential cache for server
> > > NFS.domainname
> > >
> > > Everything works well if genuine server name
> > is
> > > used for mounting.Problem arises only when
> > > (virtual ip) NFS.domainname is used.
> > >
> > > thanks,
> > > --kiran
> > >
> > >
> > >
> > > --- mehta kiran <[email protected]> wrote:
> > >
> > > > Missed one thing.
> > > > I used kadmin.local to create principals(on
> > machine
> > > > runnnig KDC)
> > > >
> > > > thanks,
> > > > --kiran
> > > > --- mehta kiran <[email protected]>
> > wrote:
> > > > > Hi Kevin ,
> > > > > I created new database and new principal
> > and
> > > > > keytab files.
> > > > >
> > > > > Kinit does not accept passowrd for
> > principals
> > > > > nfs/vcslinux5.vxindia.veritas.com
> > > > > and
> > > > > nfs/vcslinux6.vxindia.veritas.com
> > > > >
> > > > > Please let me know if i can provide some
> > > > > info(and
> > > > > how) (logs) which can point out the problem
> > > > >
> > > > > thanks,
> > > > > --kiran
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --- Kevin Coffman <[email protected]> wrote:
> > > > > > >
> > > > > > > Hi ,
> > > > > > > I tried things as directed by
> > > > Trond
> > > > > > in
> > > > > > > his previous mail and everything
> > seemed to
> > > > > > work
> > > > > > > fine initally. but when i rebooted
> > system
> > > > ,
> > > > > > > it started giving error whenever i
> > start
> > > > > > rpc.gssd
> > > > > > > on client machine.
> > > > > > > Error is :
> > > > > > >
> > > > > > > [root@vcslinux6 ~]# Mar 21 14:47:27
> > vcslinux6
> > > > > > > rpc.gssd[3487]: WARNING: Key table entry
> > not
> > > > > found
> > > > > > > while getting initial ticket for principal
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 'nfs/[email protected]'
> > > > > > > from keytab 'FILE:/etc/krb5.keytab'
> > > > > > > Mar 21 14:47:27 vcslinux6 rpc.gssd[3487]:
> > > > ERROR:
> > > > > > No
> > > > > > > usable machine credentials obtained
> > > > > > >
> > > > > > >
> > > > > > > while #klist -k /etc/krb5.keytab gives
> > > > > > > 2
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> nfs/[email protected]
> > > > > >
> > > > > >
> > > > > > I'm confused by this, but I do not know what
> > to
> > > > > look
> > > > > > for.
> > > > > >
> > > > > >
> > > > > > > I even tried by recreating kerberos
> > database
> > > > but
> > > > > > in
> > > > > > > vain. I still get the same error.
> > > > > >
> > > > > > If you recreated the Kerberos database, you
> > need
> > > > > to
> > > > > > create new principals and keytab files. Did
> > you
> > > > > do
> > > > > > this?
> > > > > >
> > > > > > > I observed one more thing.
> > > > > > > Whenver i create principal(other then
> > > > > root/admin)
> > > > > > ,
> > > > > > > passwords i enter for them during their
> > > > creation
> > > > > > > are not accepted by kinit.
> > > > > >
> > > > > > This is also strange and _might_ be related.
> >
> > > > How
> > > > > > are
> > > > > > you creating the principals -- using kadmin
> > or
> > > > > > kadmin.local?
> > > > > > Which principals are you referring to here?
> > > > > >
> > > > > > >
> > > > > > > Please let me know where i went wrong.
> > > > > > >
> > > > > > > --thanks,
> > > > > > > --kiran
> >
> === message truncated ===
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
So this will work sometime later !!!! gr8
Thanks a lot , Kevin
--- Kevin Coffman <[email protected]> wrote:
> The server code is expecting a ticket for
> 'nfs/vcslinux6.vxindia.veritas
> .com', but it is getting a ticket for
> 'nfs/vcsnfs.vxindia.veritas.com'.
> This is a limitation of the rpcsec_gss library.
> This is on my list of
> things to try and change.
>
> Kevin
>
>
> > Hi Kevin ,
> >
> > As you told , kerberos library does reverse
> > lookup to get hostname to determine the
> > principal it needs ticket for.
> > I followed the steps as mentioned in my
> previous
> > mail so that i can access nfs using same ip
> on
> > system2 if system1 crashes.
> > while mounting i used NFS.domainname(entry
> > i added to DNS : NFS.domainname <virtual_ip>)
> > As key for NFS.domainname is present on nfs
> > server shouldn't mount be successful?
> >
> > But this is not the case.
> > Messages on server(vcslinux6)
> >
> > Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]:
> WARNING:
> > gss_accept_sec_context failed
> > Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]:
> ERROR:
> > GSS-API: error in handle_nullreq:
> > gss_accept_sec_context(): Miscellaneous failure -
> > Wrong principal in request
> > Mar 22 14:04:08 vcslinux6 rpc.svcgssd[4969]:
> WARNING:
> > failed to write message
> > Mar 22 14:05:01 vcslinux6 crond(pam_unix)[6083]:
> > session opened for user root by (uid=0)
> >
> >
> > Messsages on client (vcslinux5)
> >
> > [root@vcslinux5 ~]# Mar 22 14:04:49 vcslinux5
> > rpc.gssd[4117]: WARNING: Failed to create krb5
> context
> > for user with uid 0 with any credentials cache for
> > server vcsnfs.vxindia.veritas.com
> >
> > Message on KDC(vcslinux1)
> >
> > Mar 22 14:33:18 vcslinux1 krb5kdc[4134]: AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> > authtime 1111482198, etypes {rep=1 tkt=23 ses=16},
> >
>
nfs/[email protected]
> > for krbtgt/[email protected]
> > Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ
> (7
> > etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> > authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> >
>
nfs/[email protected]
> > for
> nfs/[email protected]
> > Mar 22 14:33:41 vcslinux1 krb5kdc[4134]: TGS_REQ
> (7
> > etypes {18 17 16 23 1 3 2}) 10.212.99.13: ISSUE:
> > authtime 1111482198, etypes {rep=16 tkt=1 ses=1},
> >
>
nfs/[email protected]
> > for
> nfs/[email protected]
> >
> >
> >
> > thanks,
> > --kiran
> >
> >
> >
> >
> > --- Kevin Coffman <[email protected]> wrote:
> >
> > > I'm happy to hear the normal case is working.
> > >
> > > The Kerberos library code does a reverse lookup
> of
> > > the host it is
> > > trying to connect to in order to obtain the
> "real"
> > > host name. It uses
> > > that name to determine what principal it needs a
> > > ticket for. It would
> > > help to see the exact messages from rpc.gssd,
> > > rpc.svcgssd, and from the
> > > KDC.
> > >
> > >
> > > > Hi Kevin ,
> > > > God knows how , but everyting is working
> fine
> > > now.
> > > > I could not figure out why was it failing
> > > earlier.
> > > >
> > > > I have one question.
> > > > Is is possible to use common ip to access
> > > > machines when kerberos is running .i:e
> > > > I want to access system1 with an ip say
> IP.
> > > > when system1 crashes , i want to start
> > > services
> > > > of system1 on system2 but want to access
> > > system2
> > > > with same IP.
> > > >
> > > > what is tried was
> > > > create keys (on machine running KDC) for
> > > > for all machines in my subnet.
> > > >
> > > > After this take an ip and register it
> with
> > > DNS
> > > > with some name say NFS.domain.
> > > > Create key (on machine running kdc) for
> > > > NFS.domain
> > > > For machines those which will run nfs
> server
> > > ,
> > > > ktadd respective machine key + ktadd
> > > NFS.domain
> > > > key and copy keytab file to respective
> > > machines.
> > > > For all other machines just ktadd
> respective
> > > > machine key and copy keytab file to
> > > respective
> > > > machines.
> > > > In short ,
> > > > on machine running nfs server,
> > > > #klist -k /etc/krb5.keytab
> > > > 2 nfs/<hostname.domainname>@<realm>
> > > > 2 nfs/NFS.domainname@<realm>
> > > >
> > > > for other machines(nfs clients)
> > > > #klist -k /etc/krb5.keytab
> > > > 2 nfs/<hostname.domainname>@<realm>
> > > >
> > > > but when i try to mount exported
> filesystems
> > > > from nfs client ,
> > > > using
> > > > #mount -t nfs4 -osec=krb5
> NFS.doaminname:/
> > > /share
> > > >
> > > > Failed to create krb5 context for user
> with
> > > uid
> > > > 0
> > > > with any credential cache for server
> > > > NFS.domainname
> > > >
> > > > Everything works well if genuine server
> name
> > > is
> > > > used for mounting.Problem arises only
> when
> > > > (virtual ip) NFS.domainname is used.
> > > >
> > > > thanks,
> > > > --kiran
> > > >
> > > >
> > > >
> > > > --- mehta kiran <[email protected]>
> wrote:
> > > >
> > > > > Missed one thing.
> > > > > I used kadmin.local to create principals(on
> > > machine
> > > > > runnnig KDC)
> > > > >
> > > > > thanks,
> > > > > --kiran
> > > > > --- mehta kiran <[email protected]>
> > > wrote:
> > > > > > Hi Kevin ,
> > > > > > I created new database and new
> principal
> > > and
> > > > > > keytab files.
> > > > > >
> > > > > > Kinit does not accept passowrd for
> > > principals
> > > > > > nfs/vcslinux5.vxindia.veritas.com
> > > > > > and
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs