How to set up NFS client for Kerberized access in Solaris - NFS

This is a discussion on How to set up NFS client for Kerberized access in Solaris - NFS ; Hi Group, This is Alok Gore from Bangalore India. I was trying to set up Kerberized NFS client-server environment in my LAN. I am using Solaris 8 machines as NFS client/server and Linux machine as the KDC (MIT KDC). I ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: How to set up NFS client for Kerberized access in Solaris

  1. How to set up NFS client for Kerberized access in Solaris

    Hi Group,

    This is Alok Gore from Bangalore India.
    I was trying to set up Kerberized NFS client-server environment in my
    LAN.
    I am using Solaris 8 machines as NFS client/server and Linux machine
    as the KDC (MIT KDC).

    I installed the SEAM packages needed for the Kerberized NFS Setup on
    the machine.
    I am able to export a path from NFS Server with Krb5 Security mode.

    #share
    - /alok/1 rw ""
    - /alok/2 sec=krb5 ""


    I am able to mount this path from the Client machine with Krb5
    Security mode.

    #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
    #mount
    /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
    on Mon May 3 09:02:27 2004


    But I can't access/list the mounted directory. It says permission
    denied.

    #ls /nfs
    /nfs: Permission denied

    I have the nfs.server-hostname@REALM-NAME principal for the nfs server
    in KDC and I have the keytab file containing this principal on the
    server. The KDC also has a principal root.client-hostname@REALM-NAME
    for client. Am I missing something ?

    I am not seeing any traffic on the wire when I get this permission
    denied message. (May be the client decides locally that it does not
    have enough rights to authenticate itself to NFS Server)

    Is it because I am using MIT KDC ??

    Thanks in advance,
    -Alok Gore.

  2. Re: How to set up NFS client for Kerberized access in Solaris

    alokgore@rediffmail.com (Alok Gore) wrote in message news:...
    > Hi Group,
    >
    > This is Alok Gore from Bangalore India.
    > I was trying to set up Kerberized NFS client-server environment in my
    > LAN.
    > I am using Solaris 8 machines as NFS client/server and Linux machine
    > as the KDC (MIT KDC).
    >
    > I installed the SEAM packages needed for the Kerberized NFS Setup on
    > the machine.
    > I am able to export a path from NFS Server with Krb5 Security mode.
    >
    > #share
    > - /alok/1 rw ""
    > - /alok/2 sec=krb5 ""
    >
    >
    > I am able to mount this path from the Client machine with Krb5
    > Security mode.
    >
    > #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
    > #mount
    > /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
    > on Mon May 3 09:02:27 2004
    >
    >
    > But I can't access/list the mounted directory. It says permission
    > denied.
    >
    > #ls /nfs
    > /nfs: Permission denied
    >
    > I have the nfs.server-hostname@REALM-NAME principal for the nfs server
    > in KDC and I have the keytab file containing this principal on the
    > server. The KDC also has a principal root.client-hostname@REALM-NAME
    > for client. Am I missing something ?


    Are you using nfs.server-hostname@REALM-NAME or nfs/server-hostname@REALM-NAME?
    The latter is known to work. Ditto root.client-hostname@REALM-NAME versus
    root/client-hostname@REALM-NAME.

    Did you kinit to root/client-hostname? Or place it in the keytab on the
    client? What does:

    # klist

    on the client display.


    > I am not seeing any traffic on the wire when I get this permission
    > denied message. (May be the client decides locally that it does not
    > have enough rights to authenticate itself to NFS Server)


    Sounds like you haven't done a kinit or populated the
    keytab with the root/client principal. If so, the lcient
    is decided it doesnt have client credentials to ask the
    ticket granting service (TGS) on the KDC for a ticket
    to access the NFS server.

    >
    > Is it because I am using MIT KDC ??


    Probably not. Solaris/NFS/krb5 is known to work with
    MIT and Active Directory in addition to the SEAM KDC.

    -mre

  3. Re: How to set up NFS client for Kerberized access in Solaris

    Thanks a lot for the response!

    You asked:
    >Are you using nfs.server-hostname@REALM-NAME or

    nfs/server-hostname@REALM-NAME?
    >The latter is known to work. Ditto root.client-hostname@REALM-NAME

    versus
    >root/client-hostname@REALM-NAME.


    I am using nfs/server-hostname@REALM-NAME and
    root/client-hostname@REALM-NAME
    I have the keytab file containing the pricipal
    nfs/server-hostname@REALM-NAME copied on to the server and I have done
    kinit on the client. I can see the
    root/client-hostname@REALM-NAME principal when I do a klist on the
    client.

    But I have a confusion! By looking at the principals you can not
    distinguish between the pricipal for a service and a principal for a
    user. Does it matter ?

    Apologies for the naive questions - I'm new to Kerberos.


    I was looking at a thread which is abt using kerberos 4 for NFS client
    server communication on Solaris.
    (Reffer To: http://groups.google.com/groups?selm...&output=gplain)
    I know that this discussion does not fully apply to me because I am
    using krb5 and RPCSEC_GSS mechanisms, but some things may be similar.

    Mainly I was able to see these *cookbook* tips for setting it up


    * must run "kerbd" process on both NFS client and NFS server
    * must be running a Kerberos *V4* server
    * export the filesystem with kerberos authentication enabled:
    * obtain "root.client" ticket-granting ticket on the client:
    client# kinit root.client
    * mount the filesystem on the client, with the kerberos option:
    client# mount -o rw,kerberos server:/export/xxx /mnt

    The above mount command will obtain an "nfs.server" service ticket
    from the kerberos server. You can very this with "klist".

    I am worried abt two things:
    1) I don't have anything like the "kerbd" that is mentioned here.
    2) I am not getting the nfs/server-hostname ticket after doing a
    mount.

    Can you help ?


    -Alok.

    spamisevi1@yahoo.com (Mike Eisler) wrote in message news:<36f0f19f.0405030712.473006df@posting.google.com>...
    > alokgore@rediffmail.com (Alok Gore) wrote in message news:...
    > > Hi Group,
    > >
    > > This is Alok Gore from Bangalore India.
    > > I was trying to set up Kerberized NFS client-server environment in my
    > > LAN.
    > > I am using Solaris 8 machines as NFS client/server and Linux machine
    > > as the KDC (MIT KDC).
    > >
    > > I installed the SEAM packages needed for the Kerberized NFS Setup on
    > > the machine.
    > > I am able to export a path from NFS Server with Krb5 Security mode.
    > >
    > > #share
    > > - /alok/1 rw ""
    > > - /alok/2 sec=krb5 ""
    > >
    > >
    > > I am able to mount this path from the Client machine with Krb5
    > > Security mode.
    > >
    > > #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
    > > #mount
    > > /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
    > > on Mon May 3 09:02:27 2004
    > >
    > >
    > > But I can't access/list the mounted directory. It says permission
    > > denied.
    > >
    > > #ls /nfs
    > > /nfs: Permission denied
    > >
    > > I have the nfs.server-hostname@REALM-NAME principal for the nfs server
    > > in KDC and I have the keytab file containing this principal on the
    > > server. The KDC also has a principal root.client-hostname@REALM-NAME
    > > for client. Am I missing something ?

    >
    > Are you using nfs.server-hostname@REALM-NAME or nfs/server-hostname@REALM-NAME?
    > The latter is known to work. Ditto root.client-hostname@REALM-NAME versus
    > root/client-hostname@REALM-NAME.
    >
    > Did you kinit to root/client-hostname? Or place it in the keytab on the
    > client? What does:
    >
    > # klist
    >
    > on the client display.
    >
    >
    > > I am not seeing any traffic on the wire when I get this permission
    > > denied message. (May be the client decides locally that it does not
    > > have enough rights to authenticate itself to NFS Server)

    >
    > Sounds like you haven't done a kinit or populated the
    > keytab with the root/client principal. If so, the lcient
    > is decided it doesnt have client credentials to ask the
    > ticket granting service (TGS) on the KDC for a ticket
    > to access the NFS server.
    >
    > >
    > > Is it because I am using MIT KDC ??

    >
    > Probably not. Solaris/NFS/krb5 is known to work with
    > MIT and Active Directory in addition to the SEAM KDC.
    >
    > -mre


  4. Re: How to set up NFS client for Kerberized access in Solaris

    alokgore@rediffmail.com (Alok Gore) wrote in message news:...
    > Thanks a lot for the response!
    >
    > You asked:
    > >Are you using nfs.server-hostname@REALM-NAME or

    > nfs/server-hostname@REALM-NAME?
    > >The latter is known to work. Ditto root.client-hostname@REALM-NAME

    > versus
    > >root/client-hostname@REALM-NAME.

    >
    > I am using nfs/server-hostname@REALM-NAME and
    > root/client-hostname@REALM-NAME
    > I have the keytab file containing the pricipal
    > nfs/server-hostname@REALM-NAME copied on to the server and I have done
    > kinit on the client. I can see the
    > root/client-hostname@REALM-NAME principal when I do a klist on the
    > client.
    >
    > But I have a confusion! By looking at the principals you can not
    > distinguish between the pricipal for a service and a principal for a
    > user. Does it matter ?
    >

    Solaris seems to do the Principal for root as a separate case.
    ie: root/client-hostname.dns.domain@REALM
    instead of
    root@REALM

    But, it sounds like you have things set up ok. One other thing is that, I
    believe, root will still be mapped to nobody, so it may just be that "nobody"
    doesn't have access to the mount point. You might try opening up the
    permissions on the mount point on the server or mapping root->root and see
    if that helps. (Or try a user other than root on the client.)

    Good luck with it, rick

  5. Re: How to set up NFS client for Kerberized access in Solaris

    alokgore@rediffmail.com (Alok Gore) wrote in message news:...
    > But I have a confusion! By looking at the principals you can not
    > distinguish between the pricipal for a service and a principal for a
    > user. Does it matter ?


    No. A user principal can be used for a service,
    and vice versa.
    >
    > Apologies for the naive questions - I'm new to Kerberos.
    >
    >
    > I was looking at a thread which is abt using kerberos 4 for NFS client
    > server communication on Solaris.
    > (Reffer To: http://groups.google.com/groups?selm...&output=gplain)
    > I know that this discussion does not fully apply to me because I am
    > using krb5 and RPCSEC_GSS mechanisms, but some things may be similar.
    >
    > Mainly I was able to see these *cookbook* tips for setting it up


    NFS over Kerberos V4 is obsolete technology.

    >
    >
    > * must run "kerbd" process on both NFS client and NFS server
    > * must be running a Kerberos *V4* server
    > * export the filesystem with kerberos authentication enabled:
    > * obtain "root.client" ticket-granting ticket on the client:
    > client# kinit root.client
    > * mount the filesystem on the client, with the kerberos option:
    > client# mount -o rw,kerberos server:/export/xxx /mnt
    >
    > The above mount command will obtain an "nfs.server" service ticket
    > from the kerberos server. You can very this with "klist".
    >
    > I am worried abt two things:
    > 1) I don't have anything like the "kerbd" that is mentioned here.


    No, you have gssd which does the same thing.

    > 2) I am not getting the nfs/server-hostname ticket after doing a
    > mount.


    If you put root/ into your keytab things should work.
    Or do a kinit. What does klist show after the mount?

    You should follow the SEAM configuration instructions on
    docs.sun.com.

    Are you using DNS? Do you have DNS running on your
    NFS client and server? And on your KDC? Do your
    root/ and nfs/ principals have fully qualified domain names
    in them? E.g.

    root/alok.rediffmail.

    It might help if you use real names of clients and servers in your
    examples.

    You might also try to use the SEAM KDC, get that working, before
    using the MIT KDC. Since you are new to Kerberos, it might be
    best if you use Sun's code everywhere until you get things working.

  6. Re: How to set up NFS client for Kerberized access in Solaris

    This time I am sending the *complete* setup on client and server.

    SERVER::
    server#ps -eaf | grep gssd
    root 295 154 0 06:32:01 ? 0:00 gssd


    >>Are you using DNS? Do you have DNS running on your
    >>NFS client and server? And on your KDC? Do your
    >>root/ and nfs/ principals have fully qualified domain names
    >>in them? E.g.


    >>root/alok.rediffmail.


    >>It might help if you use real names of clients and servers in your
    >>examples.



    server#klist
    Ticket cache: /tmp/krb5cc_0
    Default principal: root/nfs-alok.blr.novell.com@NFS-REALM

    Valid starting Expires
    Service principal
    Wed May 05 01:07:34 2004 Wed May 05 11:07:34 2004
    krbtgt/NFS-REALM@NFS-REALM
    renew until Wed May 12 01:07:34 2004

    server#klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    4 nfs/nfs-alok.blr.novell.com@NFS-REALM
    4 nfs/nfs-alok.blr.novell.com@NFS-REALM

    server#share
    - /alok/1 rw ""
    - /alok/2 sec=krb5 ""


    >>But, it sounds like you have things set up ok. One other thing is

    that, I
    >>believe, root will still be mapped to nobody, so it may just be that

    "nobody"
    >>doesn't have access to the mount point. You might try opening up the
    >>permissions on the mount point on the server or mapping root->root

    and see
    >>if that helps. (Or try a user other than root on the client.)


    server#ls -ld / /alok /alok/2
    drwxrwxrwx 32 nobody nobody 1024 May 5 06:32 /
    drwxrwxrwx 4 nobody nobody 512 Apr 16 05:10 /alok
    drwxrwxrwx 2 nobody nobody 512 Apr 16 06:08 /alok/2



    CLIENT::
    client#ps -eaf |grep gssd
    root 527 1 0 06:46:45 ? 0:00 /usr/lib/gss/gssd
    client#klist
    Ticket cache: /tmp/krb5cc_0
    Default principal: root/dharma.blr.novell.com@NFS-REALM
    Valid starting Expires
    Service principal
    Wed May 05 01:07:17 2004 Wed May 05 11:07:17 2004
    krbtgt/NFS-REALM@NFS-REALM
    renew until Wed May 12 01:07:17 2004

    client#klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    4 nfs/nfs-alok.blr.novell.com@NFS-REALM
    4 nfs/nfs-alok.blr.novell.com@NFS-REALM

    client#mount
    /nfs on dharma:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40004
    on Wed May 5 07:15:43 2004

    client#cd /nfs
    bash: cd: /nfs: Permission denied


    >>Read the documentation on our web site. You will find detailed,
    >>step-by-step
    >>instructions for configuring Kerberized NFS.


    Yes! In fact, that was the first source of my information.
    I have done everthing including the set-up of gsscred table
    only two things are not clear to me in the doc.
    1) My KDC and the NFS Client server are not time-synchronized. But I
    have set the time manually on those machines which is almost matching.
    But if that *can* create problems like this, I will do a set-up for
    running NTP on those machines. Should I ?
    2) Somewhere in the SEAM configuration Doc they say: Two KDCs are must
    for SEAM to work,
    Even in my kerberos set-up (during installation) I was forced to
    enter two KDC host names (I have kept both same)
    [realms]
    NFS-REALM = {
    kdc = nfstest5.blr.novell.com
    kdc = nfstest5.blr.novell.com
    admin_server = nfstest5.blr.novell.com
    }
    Does it matter ?

    Thanks again for the support.

  7. Re: How to set up NFS client for Kerberized access in Solaris

    alokgore@rediffmail.com (Alok Gore) wrote in message news:...
    > >>It might help if you use real names of clients and servers in your
    > >>examples.

    >
    >
    > server#klist
    > Ticket cache: /tmp/krb5cc_0
    > Default principal: root/nfs-alok.blr.novell.com@NFS-REALM


    I don't like realms that aren't upper case fully qualified domain
    names (fqdns). Your is upper case but not a fqdn. I can't say for sure
    when I was leading the SEAM team at Sun that this was ever attempted.
    Wyllys might know if this works.

    The other thing is that you are showing the klist output on the
    NFS server. We need to klist output for the client.
    (nfs-alok.blr.novell.com).
    kinit'ing to root/ on the NFS server is of no use.

    > CLIENT::
    > client#ps -eaf |grep gssd
    > root 527 1 0 06:46:45 ? 0:00 /usr/lib/gss/gssd
    > client#klist
    > Ticket cache: /tmp/krb5cc_0
    > Default principal: root/dharma.blr.novell.com@NFS-REALM
    > Valid starting Expires
    > Service principal
    > Wed May 05 01:07:17 2004 Wed May 05 11:07:17 2004
    > krbtgt/NFS-REALM@NFS-REALM
    > renew until Wed May 12 01:07:17 2004
    >
    > client#klist -k
    > Keytab name: FILE:/etc/krb5/krb5.keytab
    > KVNO Principal
    > ---- --------------------------------------------------------------------------
    > 4 nfs/nfs-alok.blr.novell.com@NFS-REALM
    > 4 nfs/nfs-alok.blr.novell.com@NFS-REALM


    There no record of you doing a kinit on the nfs client nor is
    there a root/nfs-alog.blr.novell.com entry in the client's
    keytab.

    > >>Read the documentation on our web site. You will find detailed,
    > >>step-by-step
    > >>instructions for configuring Kerberized NFS.

    >
    > Yes! In fact, that was the first source of my information.
    > I have done everthing including the set-up of gsscred table
    > only two things are not clear to me in the doc.


    So it looks like to me that the SEAM docs for Solaris 8 are not quite
    as detailed and task oriented as thos for Solaris 7. SEAM for Solaris
    7
    was packaged in the SEAS 3.0 product. Try following the instructions
    for
    SEAM 1.0 in SEAS 3.0. Specifically:

    http://docs.sun.com/db/doc/805-5500/...er+SEAM&a=view

    Step 6 says:

    Optional) If you want a user on the SEAM client to automatically mount
    Kerberized NFS file systems using Kerberos authentication, you must
    authenticate the root user.

    This process is done most securely by using the kinit command;
    however, users will need to use kinit as root every time they need to
    mount a file system secured by Kerberos. You can choose to use a
    keytab file instead. See "Setting Up Root Authentication to Mount NFS
    File Systems" for detailed information about the keytab requirement.



    client1 # /usr/krb5/bin/kinit root/client1.acme.com
    Password for root/client1.acme.com@ACME.COM:


    To use the keytab file option, add the root principal to the client's
    keytab using kadmin:



    client1 # /usr/krb5/sbin/kadmin -p kws/admin
    Enter password:
    kadmin: ktadd root/client1.acme.com
    kadmin: Entry for principal root/client.acme.com with
    kvno 3, encryption type DES-CBC-CRC added to keytab
    WRFILE:/etc/krb5/krb5.keytab
    kadmin: quit

    The at the bottom of the web page it says:

    Setting Up Root Authentication to Mount NFS File Systems
    If users want to access a non-Kerberized NFS file system, either the
    NFS file system can be mounted as root, or the file system can be
    accessed automatically through the automounter whenever they access it
    (without requiring root permissions).

    Mounting a Kerberized NFS file system is very much the same, but it
    does incur an additional obstacle. To mount a Kerberized NFS file
    system, users must use the kinit command as root to obtain credentials
    for the client's root principal, because a client's root principal is
    typically not in the client's keytab. This is true even when the
    automounter is set up. Not only is this an extra step, but it forces
    all users to know their system's root password and the root
    principal's password.

    To bypass this, you can add a client's root principal to the client's
    keytab, which will automatically provide credentials for root.
    Although this enables users to mount NFS file systems without running
    the kinit command and enhances ease-of-use, it is a security risk. For
    example, if someone gains access to a system with the root principal
    in its keytab, the person has the capability of obtaining credentials
    for root. So make sure you take the appropriate security precautions.
    See "Administering Keytabs" for more information.

    > 1) My KDC and the NFS Client server are not time-synchronized. But I
    > have set the time manually on those machines which is almost matching.
    > But if that *can* create problems like this, I will do a set-up for
    > running NTP on those machines. Should I ?


    You should run NTP, but to get things going it is not
    needed. On the NFS client and server run rdate, specifying the
    name of the KDC host.

    > 2) Somewhere in the SEAM configuration Doc they say: Two KDCs are must
    > for SEAM to work,
    > Even in my kerberos set-up (during installation) I was forced to
    > enter two KDC host names (I have kept both same)
    > [realms]
    > NFS-REALM = {
    > kdc = nfstest5.blr.novell.com
    > kdc = nfstest5.blr.novell.com
    > admin_server = nfstest5.blr.novell.com
    > }
    > Does it matter ?


    No, this will work for the purpose of getting Kerberized NFS
    going. You can list just one kdc = line and delete the
    other one. But for production, it is bad, really bad. Lose the
    KDC, and your client's won't be able to access Kerberos. Things
    will fail, the sky will fall, and civilization will grind to a halt.

  8. Re: How to set up NFS client for Kerberized access in Solaris

    >I don't like realms that aren't upper case fully qualified domain
    >names (fqdns). Your is upper case but not a fqdn. I can't say for

    sure
    >when I was leading the SEAM team at Sun that this was ever attempted.
    >Wyllys might know if this works.


    I'll try with the fqdn as the realm name.

    spamisevi1@yahoo.com (Mike Eisler) wrote in message
    > The other thing is that you are showing the klist output on the
    > NFS server. We need to klist output for the client.
    > (nfs-alok.blr.novell.com).
    > kinit'ing to root/ on the NFS server is of no use.


    Looks like there has been a misunderstanding. I gave the setting both
    on client and server. I am having the keytab containing the
    nfs-serverice's principal *both* on client and server (I know that
    SEAM Docs do not mandate this keytab on the client machine, but there
    is harm either). I have done kinit on server for root/server-hostname
    and have done kinit on client for root/client-hostname.

    (All those lines that start with #client are the commands executed on
    the client machine and all those line starting with #server are
    commands on server)

    nfs-alok was the hostname for nfs server
    and
    dharma was the hostname for nfs client.

    To summarise this, my settings are:
    On Client :
    1) Have keytab file containing *nfs-service* principal
    2) I have done kinit for root/client-hostname.

    On Server:
    1) Have keytab file containing *nfs-service* principal
    2) I have done kinit for root/server-hostname.


    Regards.
    -Alok.

  9. Re: How to set up NFS client for Kerberized access in Solaris

    alokgore@rediffmail.com (Alok Gore) wrote in message news:...
    > spamisevi1@yahoo.com (Mike Eisler) wrote in message
    > > The other thing is that you are showing the klist output on the
    > > NFS server. We need to klist output for the client.
    > > (nfs-alok.blr.novell.com).
    > > kinit'ing to root/ on the NFS server is of no use.

    >
    > Looks like there has been a misunderstanding. I gave the setting both
    > on client and server. I am having the keytab containing the
    > nfs-serverice's principal *both* on client and server (I know that
    > SEAM Docs do not mandate this keytab on the client machine, but there
    > is harm either). I have done kinit on server for root/server-hostname


    My understanding is that when an MIT or SEAM KDC extracts a key into
    a keytab, the key is changed. So depending on how you are constructing
    these keytabs, harm is quite possible. Since there's no benefit
    to doing this, and a security risk to doing it, don't do it.
    Similarly, there's no benefit to kiniting to the NFS client principal
    from the NFS server's shell.

    Suggestion: remove your keytabs, remove the nfs principal, re-create
    it, and extract it into one and only one keytab onto the
    NFS server.

    > and have done kinit on client for root/client-hostname.
    >
    > (All those lines that start with #client are the commands executed on
    > the client machine and all those line starting with #server are
    > commands on server)


    Ok, I missed the part where you are kinit'ing on the client
    to root/dharma. Apologies. You had:

    client#klist
    Ticket cache: /tmp/krb5cc_0
    Default principal: root/dharma.blr.novell.com@NFS-REALM
    Valid starting Expires
    Service principal
    Wed May 05 01:07:17 2004 Wed May 05 11:07:17 2004
    krbtgt/NFS-REALM@NFS-REALM
    renew until Wed May 12 01:07:17 2004

    client#klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    4 nfs/nfs-alok.blr.novell.com@NFS-REALM
    4 nfs/nfs-alok.blr.novell.com@NFS-REALM

    client#mount
    /nfs on dharma:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40004
    on Wed May 5 07:15:43 2004

    client#cd /nfs
    bash: cd: /nfs: Permission denied

    ------------------------------

    So what does klist show after the "cd /nfs".

    If there's a service ticket to the NFS server, then
    this suggests a problem between the NFS client and the
    NFS server. If there is no ticket, then something else
    is going on ... try analyzing the traffic between the
    NFS client and the KDC.

  10. Re: How to set up NFS client for Kerberized access in Solaris

    spamisevi1@yahoo.com (Mike Eisler) wrote in message news:<36f0f19f.0405051438.55de1acd@posting.google.com>...
    > alokgore@rediffmail.com (Alok Gore) wrote in message news:...

    [lots of stuff clipped]
    > > Ticket cache: /tmp/krb5cc_0
    > > Default principal: root/dharma.blr.novell.com@NFS-REALM
    > > Valid starting Expires
    > > Service principal
    > > Wed May 05 01:07:17 2004 Wed May 05 11:07:17 2004
    > > krbtgt/NFS-REALM@NFS-REALM
    > > renew until Wed May 12 01:07:17 2004
    > >
    > > client#klist -k
    > > Keytab name: FILE:/etc/krb5/krb5.keytab
    > > KVNO Principal
    > > ---- --------------------------------------------------------------------------
    > > 4 nfs/nfs-alok.blr.novell.com@NFS-REALM

    [lots more clipped]

    I don't know if it will help, but here is what I would do to try and get
    it going:
    I'll assume the server is nfs-alok.blr.novell.com and the client is
    dharma.blr.novell.com.

    1 - Go to KDC and with kadmin
    - delete any principals you created before for this
    - create the following 2 principals
    nfs/nfs-alok.blr.novell.com@NFS-REALM
    root/dharma.blr.novell.com@NFS-REALM

    - then create the keytab file for the server with
    ktadd -e des-cbc-crc:normal -k
    nfs/nfs-alok.blr.novell.com@NFS-REALM

    2 - go to the server (nfs-alok.blr.novell.com) and
    - copy to the keytab file name
    - try the following command, to see if the keytab worked
    # kinit -k nfs/nfs-alok.blr.novell.com
    - if this works ok
    - reboot the server (I don't know Solaris well enough to say if this
    is necessary or not:-)

    3 - go to the client (dharma.blr.novell.com)
    - get a credentials cache file for root
    # kinit root/dharma.blr.novell.com@NFS-REALM
    - and type the password you gave it when the principal was created in
    step 1
    - now try the mount
    # mount -F nfs -o vers=3,sec=krb5 nfs-alok.blr.novell.com:/ /mnt
    # ls /mnt

    If it still doesn't work, some things to look at:
    - make sure that / on nfs-alok.blr.novell.com has world access
    - make des-cbc-crc the default encryption type for both client and server
    (in krb5.conf)
    - check that the fully qualified domain names are recognized on both client
    and server and returned as the primary name by the DNS resolver. (One cheezy
    way to ensure this is to put entries for both machines in /etc/hosts with
    the fully qualified names first, then set file before bind for the resolver.
    I'm not sure how this is done on Solaris? In nsswitch.conf or a line like
    "lookup file bind" in resolv.conf or ???)

    Good luck with it, rick

+ Reply to Thread