[Freeipa-users] Help in understanding multiple KVNO versions in keytab file

[Kevin Vasko via FreeIPA-users]

Hello,
 
I’m trying to understand when/how the different KVNO versions in a file should 
or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what 
it will accept for a keytab file with different KVNO versions. I’m not sure if 
I’m misunderstanding something, or there’s a bug somewhere. 
 
So to start…
 
Create a host:
ipa host-add emc-nas-server.example.com --ip-address 10.75.37.2
 
Create a service:
ipa service-add NFS/emc-nas-server.example....@example.com
 
Get a keytab file:
ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k 
/tmp/emc-nas-server.keytab –P
 
Check the keytab file:
ktutil
ktutil:  read_kt /tmp/emc-nas-server.example.com.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 nfs/emc-nas-server.example....@example.com
   2    1 nfs/emc-nas-server.example....@example.com
 
I upload the keytab file to the Dell Unity box. I can then mount the NFS share 
no problem with Kerberos sec=krb5
 
Now where my question comes in, if I generate a new keytab file with
 
ipa-getkeytab -s ipaserver.example.com -p nfs/emc-nas-server.example.com -k 
/tmp/emc-nas-server.keytab –P
 
Check the keytab file:
ktutil
ktutil:  read_kt /tmp/emc-nas-server.example.com.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1 nfs/emc-nas-server.example....@example.com
   2    1 nfs/emc-nas-server.example....@example.com
   3    2 nfs/emc-nas-server.example....@example.com
   4    2 nfs/emc-nas-server.example....@example.com
 
So now this keytab file has version 1 and version 2 in the keytab file. If I 
upload this file to the Dell Unity box and try to mount the NFS share that’s 
being validated via Kerberos it fails to mount. I validated that my NFS client 
is now sending kvno 2 with tcpdump. 
 
Since the Unity box has the new keytab file with 2 versions, shouldn’t the 
Unity box be checking against all of the versions of the keytab file or at 
least the latest (KVNO 2) allowing the mount to work? It seems that the Unity 
box is only checking against 1 KVNO version and failing. Since it’s the same 
keytab file shouldn’t this work or am I misunderstanding something?
 
Thanks,

-Kevin
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org