From owner-freebsd-stable@FreeBSD.ORG Sat Sep 18 01:56:10 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 819A61065672 for ; Sat, 18 Sep 2010 01:56:10 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 404BA8FC0C for ; Sat, 18 Sep 2010 01:56:09 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApwEAJe4k0yDaFvO/2dsb2JhbACDG6ADsHOSM4EigW6BPXMEijOEdw X-IronPort-AV: E=Sophos;i="4.56,385,1280721600"; d="scan'208";a="92296223" Received: from erie.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.206]) by esa-annu-pri.mail.uoguelph.ca with ESMTP; 17 Sep 2010 21:56:09 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 3C637B3F33; Fri, 17 Sep 2010 21:56:09 -0400 (EDT) Date: Fri, 17 Sep 2010 21:56:09 -0400 (EDT) From: Rick Macklem To: George Mamalakis Message-ID: <1492653837.1123691.1284774969145.JavaMail.root@erie.cs.uoguelph.ca> In-Reply-To: <4C932B8B.2040705@eng.auth.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [24.65.230.102] X-Mailer: Zimbra 6.0.7_GA_2476.RHEL4 (ZimbraWebClient - SAF3 (Mac)/6.0.7_GA_2473.RHEL4_64) Cc: stable@freebsd.org Subject: Re: fbsd8_stable nfsv3 sys=krb5 issue [resolved] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2010 01:56:10 -0000 > Rick, I found the problem once I followed your suggestion to kinit -k > fbsdclient.ee.auth.gr on the server; the output was "wrong password" > or > something like that. > > On both server and client I have two keys stored in their > /etc/krb5.keytab files: one nfs/blabla and one host/blabla (due to > other > services I was testing on them). On the server, the first key stored > in > the keytab file was the host/ key and not the nfs/ key. Hence it > wouldn't accept it (even though the kdc.log wouldn't complain...this I > still haven't understood so far). Once I placed a single > /etc/krb5.keytab file containing only the nfs/ key, everything worked > as > should. > > Which yields the (natural?) question: Why am I unable to kinit to both > keys stored in my keytab (I am able to kinit only to the *first* key > stored in the keytab), even though I have the right to store more than > one keys in a keytab? > Well, if it can only use the first entry in the keytab file, I would think that's a bug. (I have used a case where the entry wasn't the first one in the keytab file before and had it work, but I was using an older version of Heimdal in the BSD machine and an MIT KDC that generated the keytab file.) I have screwed up keytab entries in the past. A couple of my favourite ways to do so are: - creating another keytab entry for the same principal, which makes the old one invalid, due to the change in version#. - created the keytab entry with the wrong encryption type. Oh, and I'm not volunteering to go bug hunting in Kerberos:-) rick