RPCSEC-GSS problem determination

Edit online

Consider the following solutions when you are having trouble with RPCSEC-GSS.

  • Use the klist command on the client to make sure that you have valid, current credentials.
  • Make sure that the clocks on the client, server, and KDC are in sync. It is recommended that NTP or equivalent setup be used to ensure a consistent time across the entire Kerberos realm.
  • Make sure that the server has a valid keytab file and host principal. If the following command fails, the server will not work: 
    kinit -kt 'tail -n 1 /etc/nfs/hostkey' 'head -n 1 /etc/nfs/hostkey'
  • Ensure the gssd daemon is running and responsive on the client and the server with the following command: 
    rpcinfo -u localhost 400234
    If the gssd daemon is not responding, RPCSEC-GSS will fail; stopping and restarting the gssd daemon may correct this problem.
  • If you are getting write errors with integrity or privacy, make sure that you are using the kernel module. Integrity and privacy are not supported without the kernel module. (The kernel module is the Kerberos kernel module, /usr/lib/drivers/nfs.ext. It is installed with the modcrypt.base file set from the expansion pack.)
  • If specific users are experiencing denials when accessing data they should have access to, verify that the involved principals in the KDC are properly synchronized with the user's AIX® account name.
  • Activate the system log. Most RPCSEC-GSS errors will be logged. The errors have two parts: the first is the GSS error code (see RFC 2744 for details), and the second is a Kerberos error code.
    Note: Activating the system log might affect system performance; therefore, the log should be deactivated after the problem determination is complete.
    Some common error codes and their solutions are as follows:
    KRB5_CC_NOTFOUND
    Valid Kerberos credentials could not be found. The kinit command may fix this problem.
    KRB5_KDC_UNREACH
    The KDC is unreachable. Make sure that the KDC is up and that there are no network problems between the client or server and the KDC.
    KRB5_KT_NOTFOUND
    The keytab entry for your server principal was not found. Use the nfshostkey -l command to make sure that you are using the correct principal (it should be nfs/<fully qualified domain name>) and keytab file. Use the klist -ke to check the server keytab file for the appropriate entry.
    KRB5KRB_AP_ERR_TKT_NYV
    Most likely indicates a clock problem
    KRB5KRB_AP_WRONG_PRINC and KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
    Both of these errors indicate that the principal that the client is using for the client does not match the server's host principal.
    KRB5KRB_AP_WRONG_PRINC
    Indicates that the client succeeded in resolving the server's host name to an existing principal of the form nfs/<fully qualified domain name>, but the server's host principal does not match this principal.
    KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
    Indicates that the client was unable to resolve the server's host name to an existing principal. Use the nfshostkey -l command to check the server to make sure that it has the correct principal. If it does, the client's host mapping table will probably need to be updated; see the nfshostmap command for details.