How to set up NFS client for Kerberized access in Solaris

Alok Gore alokgore at rediffmail.com
Wed May 5 06:55:49 EDT 2004 

This time I am sending the *complete* setup on client and server.

SERVER::
server#ps -eaf | grep gssd
    root   295   154  0 06:32:01 ?        0:00 gssd


>>Are you using DNS? Do you have DNS running on your
>>NFS client and server? And on your KDC? Do your
>>root/ and nfs/ principals have fully qualified domain names
>>in them? E.g.

>>root/alok.rediffmail.

>>It might help if you use real names of clients and servers in your
>>examples.


server#klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/nfs-alok.blr.novell.com at NFS-REALM

Valid starting                       Expires                      
Service principal
Wed May 05 01:07:34 2004  Wed May 05 11:07:34 2004 
krbtgt/NFS-REALM at NFS-REALM
  renew until Wed May 12 01:07:34 2004

server#klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 nfs/nfs-alok.blr.novell.com at NFS-REALM
   4 nfs/nfs-alok.blr.novell.com at NFS-REALM

server#share
-               /alok/1   rw   ""
-               /alok/2   sec=krb5   ""


>>But, it sounds like you have things set up ok. One other thing is
that, I
>>believe, root will still be mapped to nobody, so it may just be that
"nobody"
>>doesn't have access to the mount point. You might try opening up the
>>permissions on the mount point on the server or mapping root->root
and see
>>if that helps. (Or try a user other than root on the client.)

server#ls -ld / /alok /alok/2
drwxrwxrwx  32 nobody   nobody      1024 May  5 06:32 /
drwxrwxrwx   4 nobody   nobody       512 Apr 16 05:10 /alok
drwxrwxrwx   2 nobody   nobody       512 Apr 16 06:08 /alok/2



CLIENT::
client#ps -eaf |grep gssd
    root   527     1  0 06:46:45 ?        0:00 /usr/lib/gss/gssd
client#klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/dharma.blr.novell.com at NFS-REALM
Valid starting                       Expires                      
Service principal
Wed May 05 01:07:17 2004  Wed May 05 11:07:17 2004 
krbtgt/NFS-REALM at NFS-REALM
        renew until Wed May 12 01:07:17 2004

client#klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 nfs/nfs-alok.blr.novell.com at NFS-REALM
   4 nfs/nfs-alok.blr.novell.com at NFS-REALM

client#mount
/nfs on dharma:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40004
on Wed May  5 07:15:43 2004

client#cd /nfs
bash: cd: /nfs: Permission denied


>>Read the documentation on our web site.  You will find detailed, 
>>step-by-step
>>instructions for configuring Kerberized NFS.

Yes! In fact, that was the first source of my information.
I have done everthing including the set-up of gsscred table
only two things are not clear to me in the doc.
1) My KDC and the NFS Client server are not time-synchronized. But I
have set the time manually on those machines which is almost matching.
   But if that *can* create problems like this, I will do a set-up for
running NTP  on those machines. Should I ?
2) Somewhere in the SEAM configuration Doc they say: Two KDCs are must
for SEAM to work,
    Even in my kerberos set-up (during installation) I was forced to
enter two KDC host names (I have kept both same)
        [realms]
        NFS-REALM = {
                kdc = nfstest5.blr.novell.com
                kdc = nfstest5.blr.novell.com
                admin_server = nfstest5.blr.novell.com
        }
   Does it matter ?

Thanks again for the support.

More information about the Kerberos mailing list