Kevin Vasko via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Hello, > > I’m trying to understand when/how the different KVNO versions in a > file should or shouldn’t work. We have a Dell EMC Unity box that’s > giving us fits on what it will accept for a keytab file with different > KVNO versions. I’m not sure if I’m misunderstanding something, or > there’s a bug somewhere. > > So to start… > > Create a host: > ipa host-add emc-nas-server.example.com --ip-address 10.75.37.2 > > Create a service: > ipa service-add NFS/emc-nas-server.example....@example.com > > Get a keytab file: > ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k > /tmp/emc-nas-server.keytab –P > > Check the keytab file: > ktutil > ktutil: read_kt /tmp/emc-nas-server.example.com.keytab > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 nfs/emc-nas-server.example....@example.com > 2 1 nfs/emc-nas-server.example....@example.com > > I upload the keytab file to the Dell Unity box. I can then mount the > NFS share no problem with Kerberos sec=krb5 > > Now where my question comes in, if I generate a new keytab file with > > ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k > /tmp/emc-nas-server.keytab –P > > Check the keytab file: > ktutil > ktutil: read_kt /tmp/emc-nas-server.example.com.keytab > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 nfs/emc-nas-server.example....@example.com > 2 1 nfs/emc-nas-server.example....@example.com > 3 2 nfs/emc-nas-server.example....@example.com > 4 2 nfs/emc-nas-server.example....@example.com > > So now this keytab file has version 1 and version 2 in the keytab > file. If I upload this file to the Dell Unity box and try to mount the > NFS share that’s being validated via Kerberos it fails to mount. I > validated that my NFS client is now sending kvno 2 with tcpdump. > > Since the Unity box has the new keytab file with 2 versions, shouldn’t > the Unity box be checking against all of the versions of the keytab > file or at least the latest (KVNO 2) allowing the mount to work? > > It seems that the Unity box is only checking against 1 KVNO version > and failing. Since it’s the same keytab file shouldn’t this work or am > I misunderstanding something? The KDC is the authority on what kvno should be used (always the latest one it knows about) for new tickets. Every invocation of `ipa-getkeytab` increments the kvno. Entries from the keytab are matched based on both principal name and kvno. You can check the latest kvno by running (after kinit): `kvno nfs/emc-nas-server.example.com`, then check that that kvno is in the keytab. If so, I'd expect everything to work. Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
