Sep 302009


”’Note that I’m not a kerberos expert by any means. These short instructions got puzzled together from some tutorials, and they work for me. It’s likely I forgot something too, so YMMV”’

1. Initialize the kdc database. On debian this is done through debconf at package install time. Take the rest of the initial setup of /etc/krb5.conf and /etc/krb5kdc/kadm.acl etc from the first link of the resources.
1. Add an admin account.

kadmin.local -q "addprinc root/admin"

1. Add an account for the machine

kadmin.local -q "addprinc -randkey host/"

1. For every client, on the server
1. Add a machine account

kadmin -q "addprinc -randkey host/"

1. Add a nfs account

kadmin -q "addprinc -randkey nfs/"

1. On every client add the keys generated on the server to the tab

kadmin -q "ktadd host/"
kadmin -q "ktadd -e des-cbc-crc:normal nfs/"


  • In debian, edit /etc/default/nfs-common and nfs-kernel-server to make sure that statd is not running, and that idmap and the gss services are started.
  • Make sure that the fqdn of the server doesn’t resolve to through /etc/hosts – it will break kadmin
  • Edit /etc/idmap.confand change

[General] Domain = your.domain

Otherwise you will get errors like ”rpc.svcgssd[5054]: WARNING: get_ids: failed to map name ‘nfs/’ to uid/gid: Invalid argument” in syslog.

  • hostname –fqdn really does need to return the full-qualified domain name. Often it does not, because many people set up /etc/hostsso that the unqualified domain name comes before the full qualified one. A correct setup is:

A wrong setup will cause errors like

Aug 23 20:47:19 tor rpc.svcgssd[4738]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more information - No principal in keytab matches desired name 
Aug 23 20:47:19 tor rpc.svcgssd[4738]: Unable to obtain credentials for 'nfs' 
Aug 23 20:47:19 tor rpc.svcgssd[4738]: unable to obtain root (machine) credentials 
Aug 23 20:47:19 tor rpc.svcgssd[4738]: do you have a keytab entry for nfs/@ in /etc/krb5.keytab?
  • Clocks must be synchronized (ntp is sufficient), or you will get strange errors. I.e. an gss error where the major code is Unknown Error and the minor code is unknown as well.


Additional pages not really used: