kerberos and nfs
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Jun 3 09:03:35 EDT 2002
John Rudd wrote:
> Nicolas.Williams at ubsw.com wrote:
>
>
>>Now. Sun has an implementation of all of that based on MIT krb5 code, though you can't simply take MIT krb5 and plug it in - you must use Sun's code.
>
>
>
> What exactly do you mean here? What do you mean by "you must use sun's
> code"?
I think what he means is that you cannot use MIT's KRB5 code to protect
NFS shares.
If you want to use NFS with Kerberos protection on the shares, you must have
SEAM (Sun's Kerberos) installed.
There should be no problem having both SEAM and MIT code installed on
the same system (I do it myself for testing purposes) as long as you
keep your
config files and path names.
>
> I have MIT krb5 installed on my solaris 8 hosts, and I also have Sun's
> krb5 installed on them. I use them together freely (with 2 MIT KDC's).
> My popper and kpopper were compiled against MIT, and my popper uses
> Sun's PAM module for KRB5 passwords authentication. I have
> /etc/krb5/krb5.conf symlinked to /etc/krb5.conf, etc. Everything works
> together just fine (I can MIT kinit and then Sun klist, etc.).
>
> Where are these things not interchangable, and what code of Sun's must I
> use for Secure NFS?
The NFS protection is occurring in-kernel using the SEAM GSSAPI
mechanism for Kerberos.
So, even if you have MIT Kerberos installed, it is not being used for
anything NFS related.
# ls /kernel/misc/kgss/gl_kmech_krb5
This is compiled and built using only the Sun code and cannot be substituted
with anything else.
Also, the SEAM ftp client and server will only work with the SEAM GSSAPI
Kerberos v5
mechanism (and the MIT ftp client and server will only work with the MIT
mech).
-Wyllys
More information about the Kerberos
mailing list