> Your nfs server's keytab has kvno 5. You need to do the getprinc on
> that same principal to see what the key version number is in the KDC.
> (Your klist shows principal nfs/[EMAIL PROTECTED], but the
> getprinc output is for nfs/[EMAIL PROTECTED])
>
> The kvno of the extracted key in the nfs server's keytab must match
> the kvno of that same principal in the KDC. To make sure they match,
> extract a new keytab for the nfs/nfsserver principal.
Ah, I see what you're saying I think, sorry about the confusion:
kadmin: getprinc nfs/nfsserver.domain.com
Principal: nfs/[EMAIL PROTECTED]
Expiration date: [never]
Last password change: Mon Jun 19 12:15:22 PDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Jun 19 12:15:22 PDT 2006 (admin/[EMAIL PROTECTED])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 13, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
Then:
% klist -e -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
5 05/08/06 10:04:34 nfs/[EMAIL PROTECTED] (DES cbc
mode with CRC-32)
So we're looking at kvno 13 vs kvno 5? By extracting a new keytab, you
mean just remove the nfs/nfsserver.domain.com from the KDC's
/etc/krb5.keytab file and do a new 'ktadd -e des-cbc-crc:normal
nfs/nfsserver.domain.com' (in kadmin) to re-add it? And it should
re-add with the matching version number automatically?
Sorry about the ignorance here; I'm fairly new to Kerberos.
ciao, erich
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
