How to set up NFS client for Kerberized access in Solaris
Rick Macklem
rmacklem at uoguelph.ca
Fri May 7 12:07:43 EDT 2004
spamisevi1 at yahoo.com (Mike Eisler) wrote in message news:<36f0f19f.0405051438.55de1acd at posting.google.com>...
> alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405050255.403754ed at posting.google.com>...
[lots of stuff clipped]
> > Ticket cache: /tmp/krb5cc_0
> > Default principal: root/dharma.blr.novell.com at NFS-REALM
> > Valid starting Expires
> > Service principal
> > Wed May 05 01:07:17 2004 Wed May 05 11:07:17 2004
> > krbtgt/NFS-REALM at NFS-REALM
> > renew until Wed May 12 01:07:17 2004
> >
> > client#klist -k
> > Keytab name: FILE:/etc/krb5/krb5.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> > 4 nfs/nfs-alok.blr.novell.com at NFS-REALM
[lots more clipped]
I don't know if it will help, but here is what I would do to try and get
it going:
I'll assume the server is nfs-alok.blr.novell.com and the client is
dharma.blr.novell.com.
1 - Go to KDC and with kadmin
- delete any principals you created before for this
- create the following 2 principals
nfs/nfs-alok.blr.novell.com at NFS-REALM
root/dharma.blr.novell.com at NFS-REALM
- then create the keytab file for the server with
ktadd -e des-cbc-crc:normal -k <some_new_file_name>
nfs/nfs-alok.blr.novell.com at NFS-REALM
2 - go to the server (nfs-alok.blr.novell.com) and
- copy <some_new_file_name> to the keytab file name
- try the following command, to see if the keytab worked
# kinit -k nfs/nfs-alok.blr.novell.com
- if this works ok
- reboot the server (I don't know Solaris well enough to say if this
is necessary or not:-)
3 - go to the client (dharma.blr.novell.com)
- get a credentials cache file for root
# kinit root/dharma.blr.novell.com at NFS-REALM
- and type the password you gave it when the principal was created in
step 1
- now try the mount
# mount -F nfs -o vers=3,sec=krb5 nfs-alok.blr.novell.com:/<exp-dir> /mnt
# ls /mnt
If it still doesn't work, some things to look at:
- make sure that /<exp-dir> on nfs-alok.blr.novell.com has world access
- make des-cbc-crc the default encryption type for both client and server
(in krb5.conf)
- check that the fully qualified domain names are recognized on both client
and server and returned as the primary name by the DNS resolver. (One cheezy
way to ensure this is to put entries for both machines in /etc/hosts with
the fully qualified names first, then set file before bind for the resolver.
I'm not sure how this is done on Solaris? In nsswitch.conf or a line like
"lookup file bind" in resolv.conf or ???)
Good luck with it, rick
More information about the Kerberos
mailing list