kerberos and nfs

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Jun 3 09:03:35 EDT 2002


John Rudd wrote:
> Nicolas.Williams at ubsw.com wrote:
> 
> 
>>Now. Sun has an implementation of all of that based on MIT krb5 code, though you can't simply take MIT krb5 and plug it in - you must use Sun's code.
> 
> 
> 
> What exactly do you mean here?  What do you mean by "you must use sun's
> code"?

I think what he means is that you cannot use MIT's KRB5 code to protect 
NFS shares.
If you want to use NFS with Kerberos protection on the shares, you must have
SEAM (Sun's Kerberos) installed.

There should be no problem having both SEAM and MIT code installed on
the same system (I do it myself for testing purposes) as long as you 
keep your
config files and path names.

> 
> I have MIT krb5 installed on my solaris 8 hosts, and I also have Sun's
> krb5 installed on them.  I use them together freely (with 2 MIT KDC's). 
> My popper and kpopper were compiled against MIT, and my popper uses
> Sun's PAM module for KRB5 passwords authentication.  I have
> /etc/krb5/krb5.conf symlinked to /etc/krb5.conf, etc.  Everything works
> together just fine (I can MIT kinit and then Sun klist, etc.).
> 
> Where are these things not interchangable, and what code of Sun's must I
> use for Secure NFS?

The NFS protection is occurring  in-kernel using the SEAM GSSAPI 
mechanism for Kerberos.
So, even if you have MIT Kerberos installed, it is not being used for 
anything NFS related.
   # ls   /kernel/misc/kgss/gl_kmech_krb5

This is compiled and built using only the Sun code and cannot be substituted
with anything else.

Also, the SEAM ftp client and server will only work with the SEAM GSSAPI 
Kerberos v5
mechanism (and the MIT ftp client and server will only work with the MIT 
mech).


-Wyllys






More information about the Kerberos mailing list