> 3) anyway the best would be to pull old key from backups (either from
> kdc or server backup) and put it back to KDC under correct kvno
>
> depending on your skills and other factors of your environment,
> restoring whole KDC db might be easier than to mess with single entry ...
btw, just
I'm definitely not an expert on the field, but I'd guess you'd have to:
1) wait until client tickets expires and clients requests new ones for
current kvno
2) due to linux NFS credential storage burried deep in the kernel,
reboot all clients (sometimes just restarting services helps,
Probably. If I interpret your email, you recreated the key table for the
server. I assume you either rebooted the server or restarted everything
relevant (most critical would be rpc.svcgssd).
I agree that rebooting clients would probably do it on the client side, except
that not all systems
Hi Charles,
Surely the action of rebooting the client would do all of that ?
‐‐‐ Original Message ‐‐‐
On Monday, July 22, 2019 2:13 PM, Charles Hedrick wrote:
> Unfortunately it’s likely to take some experimentation. My starting point
> would be on each client, unmount the file
Unfortunately it’s likely to take some experimentation. My starting point would
be on each client, unmount the file system, maybe delete /tmp/krb5ccmachine*,
restart rpc.gssd, and remount.
> On Jul 22, 2019, at 6:22 AM, Laura Smith
> wrote:
>
> Ok, I hold my hand up, I messed up. So the
I'm not an expert but I'd try:
1) check if the keys for service are in sync in KDB and service keytab.
if client reboot does not help, i'd guess keys are not in proper sync
2) pull old keytab from NFS server backup and merge it with current
keytab
client with not-yet expired tickets
Maybe a couple of hours or so.
"klist -l" shows empty on a client I've tried.
When mounting, the client now shows :
mount.nfs4: access denied by server while mounting (null)
mount: mounting foo.example.com:/srv/share/foo on /mnt/foo failed: Invalid
argument
Demsg on the client shows:
NFS:
How long has it been since this happened?
I think that the clients will be fine once their old ccaches expire. Have you
tried forcing the issue by manually refreshing one of the clients?
Sent from my iPhone
> On Jul 22, 2019, at 06:22, Laura Smith
> wrote:
>
> Ok, I hold my hand up, I