How to set up NFS client for Kerberized access in Solaris

Rick Macklem rmacklem at uoguelph.ca
Fri May 7 12:07:43 EDT 2004 

spamisevi1 at yahoo.com (Mike Eisler) wrote in message news:<36f0f19f.0405051438.55de1acd at posting.google.com>...
> alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405050255.403754ed at posting.google.com>...
[lots of stuff clipped]
> > Ticket cache: /tmp/krb5cc_0
> > Default principal: root/dharma.blr.novell.com at NFS-REALM
> > Valid starting                       Expires                      
> > Service principal
> > Wed May 05 01:07:17 2004  Wed May 05 11:07:17 2004 
> > krbtgt/NFS-REALM at NFS-REALM
> >         renew until Wed May 12 01:07:17 2004
> > 
> > client#klist -k
> > Keytab name: FILE:/etc/krb5/krb5.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> >    4 nfs/nfs-alok.blr.novell.com at NFS-REALM
[lots more clipped]

I don't know if it will help, but here is what I would do to try and get
it going:
I'll assume the server is nfs-alok.blr.novell.com and the client is
dharma.blr.novell.com.

1 - Go to KDC and with kadmin
  - delete any principals you created before for this
  - create the following 2 principals
    nfs/nfs-alok.blr.novell.com at NFS-REALM
    root/dharma.blr.novell.com at NFS-REALM

  - then create the keytab file for the server with
  ktadd -e des-cbc-crc:normal -k <some_new_file_name>
     nfs/nfs-alok.blr.novell.com at NFS-REALM

2 - go to the server (nfs-alok.blr.novell.com) and
  - copy <some_new_file_name> to the keytab file name
  - try the following command, to see if the keytab worked
   # kinit -k nfs/nfs-alok.blr.novell.com
   - if this works ok
     - reboot the server (I don't know Solaris well enough to say if this
               is necessary or not:-)

3 - go to the client (dharma.blr.novell.com)
  - get a credentials cache file for root
   # kinit root/dharma.blr.novell.com at NFS-REALM
    - and type the password you gave it when the principal was created in
      step 1
  - now try the mount
   # mount -F nfs -o vers=3,sec=krb5 nfs-alok.blr.novell.com:/<exp-dir> /mnt
   # ls /mnt

If it still doesn't work, some things to look at:
- make sure that /<exp-dir> on nfs-alok.blr.novell.com has world access
- make des-cbc-crc the default encryption type for both client and server
  (in krb5.conf)
- check that the fully qualified domain names are recognized on both client
  and server and returned as the primary name by the DNS resolver. (One cheezy
  way to ensure this is to put entries for both machines in /etc/hosts with
  the fully qualified names first, then set file before bind for the resolver.
  I'm not sure how this is done on Solaris? In nsswitch.conf or a line like
  "lookup file bind" in resolv.conf or ???)

Good luck with it, rick

More information about the Kerberos mailing list