How to set up NFS client for Kerberized access in Solaris

Wyllys Ingersoll wyllys.ingersoll at sun.com
Thu May 6 15:16:48 EDT 2004


Alok Gore wrote:

>>I don't like realms that aren't upper case fully qualified domain
>>names (fqdns). Your is upper case but not a fqdn. I can't say for
>>    
>>
>sure
>  
>
>>when I was leading the SEAM team at Sun that this was ever attempted.
>>Wyllys might know if this works.
>>    
>>
>
>I'll try with the fqdn as the realm name.
>  
>

It doesn't matter.  The realm name can be different from the FQDN.

>spamisevi1 at yahoo.com (Mike Eisler) wrote in message 
>  
>
>>The other thing is that you are showing the klist output on the
>>NFS server. We need to klist output for the client.
>>(nfs-alok.blr.novell.com).
>>kinit'ing to root/<client name> on the NFS server is of no use.
>>    
>>
>
>Looks like there has been a misunderstanding. I gave the setting both
>on client and server. I am having the keytab containing the
>nfs-serverice's principal *both* on client and server (I know that
>SEAM Docs do not mandate this keytab on the client machine, but there
>is harm either). I have done kinit on server for root/server-hostname
>  
>
Yes, it could actually cause a problem.   Each time you 'ktadd' a key
to the keytab, the key is updated in the server's database.  If you
add the same key to the client and the server,  the first one you wrote
will become invalid because the key has been changed when you
wrote it on the 2nd one.

Only store the server key in the server's keytab. 

-Wyllys



More information about the Kerberos mailing list