How to set up NFS client for Kerberized access in Solaris

Alok Gore alokgore at rediffmail.com
Tue May 4 04:30:43 EDT 2004 

Thanks a lot for the response! :)

You asked:
>Are you using nfs.server-hostname at REALM-NAME or
nfs/server-hostname at REALM-NAME?
>The latter is known to work. Ditto root.client-hostname at REALM-NAME
versus
>root/client-hostname at REALM-NAME.

I am using nfs/server-hostname at REALM-NAME and
root/client-hostname at REALM-NAME
I have the keytab file containing the pricipal
nfs/server-hostname at REALM-NAME copied on to the server and I have done
kinit on the client. I can see the
root/client-hostname at REALM-NAME principal when I do a klist on the
client.

But I have a confusion! By looking at the principals you can not
distinguish between the pricipal for a service and a principal for a
user.  Does it matter ?

Apologies for the naive questions - I'm new to Kerberos.


I was looking at a thread which is abt using kerberos 4 for NFS client
server communication on Solaris.
(Reffer To: http://groups.google.com/groups?selm=rns.812460270%40deakin.edu.au&oe=UTF-8&output=gplain)
I know that this discussion does not fully apply to me because I am
using krb5 and RPCSEC_GSS mechanisms, but some things may be similar.

Mainly I was able to see these *cookbook* tips for setting it up


 * must run "kerbd" process on both NFS client and NFS server
 * must be running a Kerberos *V4* server
 * export the filesystem with kerberos authentication enabled:
 * obtain "root.client" ticket-granting ticket on the client:
	client# kinit root.client
 * mount the filesystem on the client, with the kerberos option:
         client# mount -o rw,kerberos server:/export/xxx /mnt

The above mount command will obtain an "nfs.server" service ticket
from the kerberos server.  You can very this with "klist".

I am worried abt two things: 
1) I don't have anything like the "kerbd" that is mentioned here.
2) I am not getting the nfs/server-hostname ticket after doing a
mount.

Can you help ?

 
-Alok.

spamisevi1 at yahoo.com (Mike Eisler) wrote in message news:<36f0f19f.0405030712.473006df at posting.google.com>...
> alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405030045.7439402b at posting.google.com>...
> > Hi Group,
> > 
> >  This is Alok Gore from Bangalore India.
> > I was trying to set up Kerberized NFS client-server environment in my
> > LAN.
> > I am using Solaris 8 machines as NFS client/server and Linux machine
> > as the KDC (MIT KDC).
> > 
> > I installed the SEAM packages needed for the Kerberized NFS Setup on
> > the machine.
> > I am able to export a path from NFS Server with Krb5 Security mode.
> > 
> > #share
> > -               /alok/1   rw   ""
> > -               /alok/2   sec=krb5   ""
> > 
> > 
> > I am able to mount this path from the Client machine with Krb5
> > Security mode.
> > 
> > #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
> > #mount 
> > /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
> > on Mon May  3 09:02:27 2004
> > 
> > 
> > But I can't access/list the mounted directory. It says permission
> > denied.
> > 
> > #ls /nfs
> > /nfs: Permission denied
> > 
> > I have the nfs.server-hostname at REALM-NAME principal for the nfs server
> > in KDC and I have the keytab file containing this principal on the
> > server. The KDC also has a principal root.client-hostname at REALM-NAME
> > for client. Am I missing something ?
> 
> Are you using nfs.server-hostname at REALM-NAME or nfs/server-hostname at REALM-NAME?
> The latter is known to work. Ditto root.client-hostname at REALM-NAME versus
> root/client-hostname at REALM-NAME.
> 
> Did you kinit to root/client-hostname? Or place it in the keytab on the
> client? What does:
> 
>      # klist 
> 
> on the client display.
> 
> 
> > I am not seeing any traffic on the wire when I get this permission
> > denied message. (May be the client decides locally that it does not
> > have enough rights to authenticate itself to NFS Server)
> 
> Sounds like you haven't done a kinit or populated the
> keytab with the root/client principal. If so, the lcient
> is decided it doesnt have client credentials to ask the
> ticket granting service (TGS) on the KDC for a ticket
> to access the NFS server.
> 
> > 
> > Is it because I am using MIT KDC ?? 
> 
> Probably not. Solaris/NFS/krb5 is known to work with
> MIT and Active Directory in addition to the SEAM KDC.
> 
>    -mre

More information about the Kerberos mailing list