Hello,
I’m trying to understand when/how the different KVNO versions in a file should
or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what
it will accept for a keytab file with different KVNO versions. I’m not sure if
I’m misunderstanding something, or there’s a bug somewhere.
So to start…
Create a host:
ipa host-add emc-nas-server.example.com --ip-address 10.75.37.2
Create a service:
ipa service-add NFS/[email protected]
Get a keytab file:
ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k
/tmp/emc-nas-server.keytab –P
Check the keytab file:
ktutil
ktutil: read_kt /tmp/emc-nas-server.example.com.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 nfs/[email protected]
2 1 nfs/[email protected]
I upload the keytab file to the Dell Unity box. I can then mount the NFS share
no problem with Kerberos sec=krb5
Now where my question comes in, if I generate a new keytab file with
ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k
/tmp/emc-nas-server.keytab –P
Check the keytab file:
ktutil
ktutil: read_kt /tmp/emc-nas-server.example.com.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 nfs/[email protected]
2 1 nfs/[email protected]
3 2 nfs/[email protected]
4 2 nfs/[email protected]
So now this keytab file has version 1 and version 2 in the keytab file. If I
upload this file to the Dell Unity box and try to mount the NFS share that’s
being validated via Kerberos it fails to mount. I validated that my NFS client
is now sending kvno 2 with tcpdump.
Since the Unity box has the new keytab file with 2 versions, shouldn’t the
Unity box be checking against all of the versions of the keytab file or at
least the latest (KVNO 2) allowing the mount to work? It seems that the Unity
box is only checking against 1 KVNO version and failing. Since it’s the same
keytab file shouldn’t this work or am I misunderstanding something?
Thanks,
-Kevin
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
