Sorry for taking so long to respond.
Depending on the version of Kerberos, you may need the following in
the libdefaults section of /etc/krb5.conf
allow_weak_crypto = true
I'm not sure why the nfs.example.com entries are in /etc/hosts? That
may be part of the problem?
Make sure that 'hostname' on the server returns the correct name,
matching the name in your keytab entry (goku.example.com).
Make sure a reverse DNS lookup of the address returned by a forward
DNS lookup, returns that same name as well.
K.C.
On Sat, Feb 12, 2011 at 7:49 AM, CeR <cer.inet@xxxxxxxxx> wrote:
> Thank you, i will take a look to the enctypes of my keytab. I hope
> that's the problem.
>
>
>
> Here /etc/krb5.conf
>
> -----------------------------------------------------------------------
> [libdefaults]
> default_realm = EXAMPLE.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com
> admin_server = kerberos.example.com
> }
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> --------------------------------------------------------------------------------
> Here /etc/hosts
>
> 127.0.0.1 localhost goku goku.example.com nfs.example.com
> 10.0.0.1 goku goku.example.com
> 10.0.0.1 nfs.example.com
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
>
>
>
>
>
>
>
>
>
> 2011/2/11 Kevin Coffman <kwc@xxxxxxxxxxxxxx>:
>> On Fri, Feb 11, 2011 at 1:38 PM, CeR <cer.inet@xxxxxxxxx> wrote:
>>>
>>> Hello. I have been trying to set up a local-teachpurpose-server at home.
>>>
>>> My enviroment: debian squeeze KVM/libvirt machine, with 2.6.32-5-amd64 kernel.
>>>
>>> When restarting services with the correct configuration, i get this:
>>> As you can see, the keytab is there, with correct permissions to read by root.
>>>
>>> root@goku:~# /etc/init.d/nfs-common restart
>>> Stopping NFS common utilities: gssd idmapd statd.
>>> Starting NFS common utilities: statd idmapd gssd.
>>>
>>> root@goku:~# /etc/init.d/nfs-kernel-server restart
>>> Stopping NFS kernel daemon: mountd svcgssd nfsd.
>>> Unexporting directories for NFS kernel daemon....
>>> Exporting directories for NFS kernel daemon....
>>> Starting NFS kernel daemon: nfsd svcgssd failed!
>>>
>>> root@goku:~# tail /var/log/syslog
>>> Feb 11 18:29:45 goku kernel: [ 2266.025197] nfsd: last server has
>>> exited, flushing export cache
>>> Feb 11 18:29:46 goku kernel: [ 2267.119699] svc: failed to register
>>> lockdv1 RPC service (errno 97).
>>> Feb 11 18:29:46 goku kernel: [ 2267.121318] NFSD: Using
>>> /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
>>> Feb 11 18:29:46 goku kernel: [ 2267.122284] NFSD: starting 90-second
>>> grace period
>>> Feb 11 18:29:46 goku rpc.svcgssd[2333]: ERROR: GSS-API: error in
>>> gss_acquire_cred(): Unspecified GSS failure. Minor code may provide
>>> more information - Key table entry not found
>>> Feb 11 18:29:46 goku rpc.svcgssd[2333]: unable to obtain root
>>> (machine) credentials
>>> Feb 11 18:29:46 goku rpc.svcgssd[2333]: do you have a keytab entry for
>>> nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
>>>
>>> root@goku:~# ls -l /etc/krb5.keytab
>>> -rw-r----- 1 root openldap 1210 feb 11 11:11 /etc/krb5.keytab
>>>
>>> root@goku:~# klist -k
>>> Keytab name: WRFILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ---- --------------------------------------------------------------------------
>>> 2 host/goku.example.com@xxxxxxxxxxx
>>> 2 host/goku.example.com@xxxxxxxxxxx
>>> 2 host/goku.example.com@xxxxxxxxxxx
>>> 2 host/goku.example.com@xxxxxxxxxxx
>>> 2 ldap/goku.example.com@xxxxxxxxxxx
>>> 2 ldap/goku.example.com@xxxxxxxxxxx
>>> 2 ldap/goku.example.com@xxxxxxxxxxx
>>> 2 ldap/goku.example.com@xxxxxxxxxxx
>>> 4 nfs/goku.example.com@xxxxxxxxxxx
>>> 4 nfs/goku.example.com@xxxxxxxxxxx
>>> 4 nfs/goku.example.com@xxxxxxxxxxx
>>> 4 nfs/goku.example.com@xxxxxxxxxxx
>>>
>>>
>>> Is a bug? A incompatibility between my packages versions? A
>>> configuration problem? Any idea?
>>>
>>>
>>> Thank you. Best regards.
>>
>> First, with this kernel version, you should only have one keytab entry
>> for nfs/goku.example.com with a DES key. (You don't show the
>> enctypes, but I see you have 4 keys for nfs.) You won't hit this
>> problem until you get past the other error.
>>
>> Make sure the reverse look-up for your server's host returns the
>> correct name. (Matching the name in the keytab, "goku.example.com")
>>
>> Perhaps send a copy of /etc/hosts and your /etc/krb5.conf to see what
>> might be misconfigured.
>>
>> K.C.
>>
>
>
>
> --
> [*] CeR / Arturo Borrero Gonzalez [*]
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
