Hi Folks,

I try to setup NFSv4 with Kerberos Auth via AD.
Running SLES11 SP2 ad get thi serror when trying to start the nfs-server:
daemon.err rpc.svcgssd[20397]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name
2013-12-09 14:52:10 +01:00 MYHOST daemon.err rpc.svcgssd[20397]: unable to obtain root (machine) credentials
2013-12-09 14:52:10 +01:00 MYHOST daemon.err rpc.svcgssd[20397]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?

my keytabfile:
klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

2 nfs/MYHOST.INTERN@REALM
5 host/MYHOST.INTERN@REALM
6 root/MYHOST.INTERN@REALM

crypto is all

my krb5.conf:

[libdefaults]

AD-Server

dns_lookup_realm = true
dns_lookup_kdc = true
    default_realm = [REALM]

kdc_timesync = 4
ccache_type = 1
forwardable = true
proxiable = true
allow_weak_crypto = true

[realms]
[REALM] = {
kdc = 192.168.12.23:88
default_domain = [REALM]
}

[domain_realm]
.INTERN = [REALM]
INTERN = [REALM]

[logging]

kdc = FILE:/var/log/krb5/krb5kdc.log

admin_server = FILE:/var/log/krb5/kadmind.log

default = SYSLOG:NOTICE:DAEMON

on my NFS-Client I`m able to get a Kerberos Ticket.

Greetz
Cord

Hi Cord,

just a shot into the dark… MIT kerberos libraries seem to be very sensitive to the contents of /etc/hosts and DNS resolition, and dislike /etc/hosts statements like “::1 my.local.host.name”… does everything resolve like expected for your host, via local name resolution?

Regards,
Jens

Hi Jens,

yes, name resolution works fine.
I also deleted the “::1 entry” but nothing happend.

Greetz
Cord

Hi Cord & all,

Kerberos isn’t in my “portfolio” yet, so I’m not able to really help (except for gathering & digesting stuff from around the Internet)

If anyone else can come to help here, please don’t hesitate to add your comments!

Regards,
Jens