How to set up NFS client for Kerberized access in Solaris
Alok Gore
alokgore at rediffmail.com
Tue May 4 04:30:43 EDT 2004
Thanks a lot for the response! :)
You asked:
>Are you using nfs.server-hostname at REALM-NAME or
nfs/server-hostname at REALM-NAME?
>The latter is known to work. Ditto root.client-hostname at REALM-NAME
versus
>root/client-hostname at REALM-NAME.
I am using nfs/server-hostname at REALM-NAME and
root/client-hostname at REALM-NAME
I have the keytab file containing the pricipal
nfs/server-hostname at REALM-NAME copied on to the server and I have done
kinit on the client. I can see the
root/client-hostname at REALM-NAME principal when I do a klist on the
client.
But I have a confusion! By looking at the principals you can not
distinguish between the pricipal for a service and a principal for a
user. Does it matter ?
Apologies for the naive questions - I'm new to Kerberos.
I was looking at a thread which is abt using kerberos 4 for NFS client
server communication on Solaris.
(Reffer To: http://groups.google.com/groups?selm=rns.812460270%40deakin.edu.au&oe=UTF-8&output=gplain)
I know that this discussion does not fully apply to me because I am
using krb5 and RPCSEC_GSS mechanisms, but some things may be similar.
Mainly I was able to see these *cookbook* tips for setting it up
* must run "kerbd" process on both NFS client and NFS server
* must be running a Kerberos *V4* server
* export the filesystem with kerberos authentication enabled:
* obtain "root.client" ticket-granting ticket on the client:
client# kinit root.client
* mount the filesystem on the client, with the kerberos option:
client# mount -o rw,kerberos server:/export/xxx /mnt
The above mount command will obtain an "nfs.server" service ticket
from the kerberos server. You can very this with "klist".
I am worried abt two things:
1) I don't have anything like the "kerbd" that is mentioned here.
2) I am not getting the nfs/server-hostname ticket after doing a
mount.
Can you help ?
-Alok.
spamisevi1 at yahoo.com (Mike Eisler) wrote in message news:<36f0f19f.0405030712.473006df at posting.google.com>...
> alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405030045.7439402b at posting.google.com>...
> > Hi Group,
> >
> > This is Alok Gore from Bangalore India.
> > I was trying to set up Kerberized NFS client-server environment in my
> > LAN.
> > I am using Solaris 8 machines as NFS client/server and Linux machine
> > as the KDC (MIT KDC).
> >
> > I installed the SEAM packages needed for the Kerberized NFS Setup on
> > the machine.
> > I am able to export a path from NFS Server with Krb5 Security mode.
> >
> > #share
> > - /alok/1 rw ""
> > - /alok/2 sec=krb5 ""
> >
> >
> > I am able to mount this path from the Client machine with Krb5
> > Security mode.
> >
> > #mount -o sec=krb5 nfs-alok:/alok/2 /nfs
> > #mount
> > /nfs on nfs-alok:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40006
> > on Mon May 3 09:02:27 2004
> >
> >
> > But I can't access/list the mounted directory. It says permission
> > denied.
> >
> > #ls /nfs
> > /nfs: Permission denied
> >
> > I have the nfs.server-hostname at REALM-NAME principal for the nfs server
> > in KDC and I have the keytab file containing this principal on the
> > server. The KDC also has a principal root.client-hostname at REALM-NAME
> > for client. Am I missing something ?
>
> Are you using nfs.server-hostname at REALM-NAME or nfs/server-hostname at REALM-NAME?
> The latter is known to work. Ditto root.client-hostname at REALM-NAME versus
> root/client-hostname at REALM-NAME.
>
> Did you kinit to root/client-hostname? Or place it in the keytab on the
> client? What does:
>
> # klist
>
> on the client display.
>
>
> > I am not seeing any traffic on the wire when I get this permission
> > denied message. (May be the client decides locally that it does not
> > have enough rights to authenticate itself to NFS Server)
>
> Sounds like you haven't done a kinit or populated the
> keytab with the root/client principal. If so, the lcient
> is decided it doesnt have client credentials to ask the
> ticket granting service (TGS) on the KDC for a ticket
> to access the NFS server.
>
> >
> > Is it because I am using MIT KDC ??
>
> Probably not. Solaris/NFS/krb5 is known to work with
> MIT and Active Directory in addition to the SEAM KDC.
>
> -mre
More information about the Kerberos
mailing list