Hello,
I’m trying to understand when/how the different KVNO versions in a file should or
shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what it will accept
for a keytab file with different KVNO versions. I’m not sure if I’m misunderstanding
something, or there’s a bug somewhere.
So to start…
Create a host:
ipa host-add
emc-nas-server.example.com --ip-address 10.75.37.2
Create a service:
ipa service-add NFS/emc-nas-server.example.com(a)EXAMPLE.COM
Get a keytab file:
ipa-getkeytab -s
ipaserver.example.com -p
nfs/emc-nas-server.example.com -k
/tmp/emc-nas-server.keytab –P
Check the keytab file:
ktutil
ktutil: read_kt /tmp/emc-nas-server.example.com.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 nfs/emc-nas-server.example.com(a)EXAMPLE.COM
2 1 nfs/emc-nas-server.example.com(a)EXAMPLE.COM
I upload the keytab file to the Dell Unity box. I can then mount the NFS share no problem
with Kerberos sec=krb5
Now where my question comes in, if I generate a new keytab file with
ipa-getkeytab -s
ipaserver.example.com -p
nfs/emc-nas-server.example.com -k
/tmp/emc-nas-server.keytab –P
Check the keytab file:
ktutil
ktutil: read_kt /tmp/emc-nas-server.example.com.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 nfs/emc-nas-server.example.com(a)EXAMPLE.COM
2 1 nfs/emc-nas-server.example.com(a)EXAMPLE.COM
3 2 nfs/emc-nas-server.example.com(a)EXAMPLE.COM
4 2 nfs/emc-nas-server.example.com(a)EXAMPLE.COM
So now this keytab file has version 1 and version 2 in the keytab file. If I upload this
file to the Dell Unity box and try to mount the NFS share that’s being validated via
Kerberos it fails to mount. I validated that my NFS client is now sending kvno 2 with
tcpdump.
Since the Unity box has the new keytab file with 2 versions, shouldn’t the Unity box be
checking against all of the versions of the keytab file or at least the latest (KVNO 2)
allowing the mount to work? It seems that the Unity box is only checking against 1 KVNO
version and failing. Since it’s the same keytab file shouldn’t this work or am I
misunderstanding something?
Thanks,
-Kevin