How to set up NFS client for Kerberized access in Solaris
Mike Eisler
spamisevi1 at yahoo.com
Mon May 3 11:12:35 EDT 2004
alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405030045.7439402b at posting.google.com>...
> Hi Group,
>
> This is Alok Gore from Bangalore India.
> I was trying to set up Kerberized NFS client-server environment in my
> LAN.
> I am using Solaris 8 machines as NFS client/server and Linux machine
> as the KDC (MIT KDC).
>
> I installed the SEAM packages needed for the Kerberized NFS Setup on
> the machine.
> I am able to export a path from NFS Server with Krb5 Security mode.
>
> #share
> - /alok/1 rw ""
> - /alok/2 sec=krb5 ""
>
>
> I am able to mount this path from the Client machine with Krb5
> Security mode.
>
> #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
> #mount
> /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
> on Mon May 3 09:02:27 2004
>
>
> But I can't access/list the mounted directory. It says permission
> denied.
>
> #ls /nfs
> /nfs: Permission denied
>
> I have the nfs.server-hostname at REALM-NAME principal for the nfs server
> in KDC and I have the keytab file containing this principal on the
> server. The KDC also has a principal root.client-hostname at REALM-NAME
> for client. Am I missing something ?
Are you using nfs.server-hostname at REALM-NAME or nfs/server-hostname at REALM-NAME?
The latter is known to work. Ditto root.client-hostname at REALM-NAME versus
root/client-hostname at REALM-NAME.
Did you kinit to root/client-hostname? Or place it in the keytab on the
client? What does:
# klist
on the client display.
> I am not seeing any traffic on the wire when I get this permission
> denied message. (May be the client decides locally that it does not
> have enough rights to authenticate itself to NFS Server)
Sounds like you haven't done a kinit or populated the
keytab with the root/client principal. If so, the lcient
is decided it doesnt have client credentials to ask the
ticket granting service (TGS) on the KDC for a ticket
to access the NFS server.
>
> Is it because I am using MIT KDC ??
Probably not. Solaris/NFS/krb5 is known to work with
MIT and Active Directory in addition to the SEAM KDC.
-mre
More information about the Kerberos
mailing list