Common Problems while using Secure NFS with Kerberos

The Ticket Granting Ticket (TGT) has expired

To renew the ticket, enter the following command:

kinit username

Fully qualified hostname resolution problem

To verify the hostname resolution, check the following files:

To provide a fully qualified host name, do the following:

Time mismatch of 5 minutes between Kerberos server and Kerberos client

HP recommends that you run time server to synchronize the time between client and server.

Improper krb5.conf

This could be because the realm to domain matching is not set in either server or client’s configuration file (krb5.conf).

To fix the krb5.conf file for proper domain name to realm matching, modify the file based on the following sample:

## Kerberos configuration# This krb5.conf file is intended as an example only.# see krb5.conf(4) for more details# hostname is the fully qualified hostname(FQDN) of host on which kdc isrunning# domain_name is the fully qualified name of your domain[libdefaults]   default_realm = krbhost.anyrealm.com   default_tkt_enctypes = DES-CBC-CRC   default_tgs_enctypes = DES-CBC-CRC   ccache_type = 2[realms]krbhost.anyrealm.com = {      kdc = krbhost.anyrealm.com:88      admin_server = krbhost.anyrealm.com}[domain_realm].anyrealm.com = krbhost.anyrealm.com[logging]        kdc = FILE:/var/log/krb5kdc.log        admin_server = FILE:/var/log/kadmin.log        default = FILE:/var/log/krb5lib.log

The user who is trying to access the mounted filesystem has not obtained a TGT using their login.

For example, if you are a guest user and are attempting to access the NFS mounted filesystem with Kerberos security option, you need to have a TGT.

To identify the default principal name, enter the following command:

klist 

If the default principal name is not ‘guest’, enter the following command to obtain a TGT for the guest principal:

kinit guest