Hello,
I’m trying to understand when/how the different KVNO versions in a file should
or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what
it will accept for a keytab file with different KVNO versions. I’m not sure if
I’m misunderstanding something, or there’s a bug somewhere.
So to start…
Create a host:
ipa host-add emc-nas-server.example.com --ip-address 10.75.37.2
Create a service:
ipa service-add NFS/emc-nas-server.example....@example.com
Get a keytab file:
ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k
/tmp/emc-nas-server.keytab –P
Check the keytab file:
ktutil
ktutil: read_kt /tmp/emc-nas-server.example.com.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 nfs/emc-nas-server.example....@example.com
2 1 nfs/emc-nas-server.example....@example.com
I upload the keytab file to the Dell Unity box. I can then mount the NFS share
no problem with Kerberos sec=krb5
Now where my question comes in, if I generate a new keytab file with
ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k
/tmp/emc-nas-server.keytab –P
Check the keytab file:
ktutil
ktutil: read_kt /tmp/emc-nas-server.example.com.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 nfs/emc-nas-server.example....@example.com
2 1 nfs/emc-nas-server.example....@example.com
3 2 nfs/emc-nas-server.example....@example.com
4 2 nfs/emc-nas-server.example....@example.com
So now this keytab file has version 1 and version 2 in the keytab file. If I
upload this file to the Dell Unity box and try to mount the NFS share that’s
being validated via Kerberos it fails to mount. I validated that my NFS client
is now sending kvno 2 with tcpdump.
Since the Unity box has the new keytab file with 2 versions, shouldn’t the
Unity box be checking against all of the versions of the keytab file or at
least the latest (KVNO 2) allowing the mount to work? It seems that the Unity
box is only checking against 1 KVNO version and failing. Since it’s the same
keytab file shouldn’t this work or am I misunderstanding something?
Thanks,
-Kevin
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org