How to set up NFS client for Kerberized access in Solaris
Mike Eisler
spamisevi1 at yahoo.com
Tue May 4 17:45:54 EDT 2004
alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405040030.5b665945 at posting.google.com>...
> But I have a confusion! By looking at the principals you can not
> distinguish between the pricipal for a service and a principal for a
> user. Does it matter ?
No. A user principal can be used for a service,
and vice versa.
>
> Apologies for the naive questions - I'm new to Kerberos.
>
>
> I was looking at a thread which is abt using kerberos 4 for NFS client
> server communication on Solaris.
> (Reffer To: http://groups.google.com/groups?selm=rns.812460270%40deakin.edu.au&oe=UTF-8&output=gplain)
> I know that this discussion does not fully apply to me because I am
> using krb5 and RPCSEC_GSS mechanisms, but some things may be similar.
>
> Mainly I was able to see these *cookbook* tips for setting it up
NFS over Kerberos V4 is obsolete technology.
>
>
> * must run "kerbd" process on both NFS client and NFS server
> * must be running a Kerberos *V4* server
> * export the filesystem with kerberos authentication enabled:
> * obtain "root.client" ticket-granting ticket on the client:
> client# kinit root.client
> * mount the filesystem on the client, with the kerberos option:
> client# mount -o rw,kerberos server:/export/xxx /mnt
>
> The above mount command will obtain an "nfs.server" service ticket
> from the kerberos server. You can very this with "klist".
>
> I am worried abt two things:
> 1) I don't have anything like the "kerbd" that is mentioned here.
No, you have gssd which does the same thing.
> 2) I am not getting the nfs/server-hostname ticket after doing a
> mount.
If you put root/<client-name> into your keytab things should work.
Or do a kinit. What does klist show after the mount?
You should follow the SEAM configuration instructions on
docs.sun.com.
Are you using DNS? Do you have DNS running on your
NFS client and server? And on your KDC? Do your
root/ and nfs/ principals have fully qualified domain names
in them? E.g.
root/alok.rediffmail.
It might help if you use real names of clients and servers in your
examples.
You might also try to use the SEAM KDC, get that working, before
using the MIT KDC. Since you are new to Kerberos, it might be
best if you use Sun's code everywhere until you get things working.
More information about the Kerberos
mailing list