How to set up NFS client for Kerberized access in Solaris

Mike Eisler spamisevi1 at yahoo.com
Thu May 6 12:37:26 EDT 2004 

alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405060222.364ea2f3 at posting.google.com>...
> spamisevi1 at yahoo.com (Mike Eisler) wrote in message 
> > The other thing is that you are showing the klist output on the
> > NFS server. We need to klist output for the client.
> > (nfs-alok.blr.novell.com).
> > kinit'ing to root/<client name> on the NFS server is of no use.
> 
> Looks like there has been a misunderstanding. I gave the setting both
> on client and server. I am having the keytab containing the
> nfs-serverice's principal *both* on client and server (I know that
> SEAM Docs do not mandate this keytab on the client machine, but there
> is harm either). I have done kinit on server for root/server-hostname

My understanding is that when an MIT or SEAM KDC extracts a key into
a keytab, the key is changed. So depending on how you are constructing
these keytabs, harm is quite possible. Since there's no benefit
to doing this, and a security risk to doing it, don't do it.
Similarly, there's no benefit to kiniting to the NFS client principal
from the NFS server's shell.

Suggestion: remove your keytabs, remove the nfs principal, re-create
it, and extract it into one and only one keytab onto the
NFS server.

> and have done kinit on client for root/client-hostname.
> 
> (All those lines that start with #client are the commands executed on
> the client machine and all those line starting with #server are
> commands on server)

Ok, I missed the part where you are kinit'ing on the client
to root/dharma. Apologies. You had:

client#klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/dharma.blr.novell.com at NFS-REALM
Valid starting                       Expires                      
Service principal
Wed May 05 01:07:17 2004  Wed May 05 11:07:17 2004 
krbtgt/NFS-REALM at NFS-REALM
        renew until Wed May 12 01:07:17 2004

client#klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 nfs/nfs-alok.blr.novell.com at NFS-REALM
   4 nfs/nfs-alok.blr.novell.com at NFS-REALM

client#mount
/nfs on dharma:/alok/2 remote/read/write/setuid/sec=krb5/dev=2e40004
on Wed May  5 07:15:43 2004

client#cd /nfs
bash: cd: /nfs: Permission denied

------------------------------

So what does klist show after the "cd /nfs".

If there's a service ticket to the NFS server, then
this suggests a problem between the NFS client and the
NFS server. If there is no ticket, then something else
is going on ... try analyzing the traffic between the
NFS client and the KDC.

More information about the Kerberos mailing list