How to set up NFS client for Kerberized access in Solaris

Mike Eisler spamisevi1 at yahoo.com
Mon May 3 11:12:35 EDT 2004


alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405030045.7439402b at posting.google.com>...
> Hi Group,
> 
>  This is Alok Gore from Bangalore India.
> I was trying to set up Kerberized NFS client-server environment in my
> LAN.
> I am using Solaris 8 machines as NFS client/server and Linux machine
> as the KDC (MIT KDC).
> 
> I installed the SEAM packages needed for the Kerberized NFS Setup on
> the machine.
> I am able to export a path from NFS Server with Krb5 Security mode.
> 
> #share
> -               /alok/1   rw   ""
> -               /alok/2   sec=krb5   ""
> 
> 
> I am able to mount this path from the Client machine with Krb5
> Security mode.
> 
> #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
> #mount 
> /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
> on Mon May  3 09:02:27 2004
> 
> 
> But I can't access/list the mounted directory. It says permission
> denied.
> 
> #ls /nfs
> /nfs: Permission denied
> 
> I have the nfs.server-hostname at REALM-NAME principal for the nfs server
> in KDC and I have the keytab file containing this principal on the
> server. The KDC also has a principal root.client-hostname at REALM-NAME
> for client. Am I missing something ?

Are you using nfs.server-hostname at REALM-NAME or nfs/server-hostname at REALM-NAME?
The latter is known to work. Ditto root.client-hostname at REALM-NAME versus
root/client-hostname at REALM-NAME.

Did you kinit to root/client-hostname? Or place it in the keytab on the
client? What does:

     # klist 

on the client display.


> I am not seeing any traffic on the wire when I get this permission
> denied message. (May be the client decides locally that it does not
> have enough rights to authenticate itself to NFS Server)

Sounds like you haven't done a kinit or populated the
keytab with the root/client principal. If so, the lcient
is decided it doesnt have client credentials to ask the
ticket granting service (TGS) on the KDC for a ticket
to access the NFS server.

> 
> Is it because I am using MIT KDC ?? 

Probably not. Solaris/NFS/krb5 is known to work with
MIT and Active Directory in addition to the SEAM KDC.

   -mre


More information about the Kerberos mailing list