How to set up NFS client for Kerberized access in Solaris

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon May 10 08:03:16 EDT 2004 

Rick Macklem wrote:

>I don't know if it will help, but here is what I would do to try and get
>it going:
>I'll assume the server is nfs-alok.blr.novell.com and the client is
>dharma.blr.novell.com.
>
>1 - Go to KDC and with kadmin
>  - delete any principals you created before for this
>  - create the following 2 principals
>    nfs/nfs-alok.blr.novell.com at NFS-REALM
>    root/dharma.blr.novell.com at NFS-REALM
>
>  - then create the keytab file for the server with
>  ktadd -e des-cbc-crc:normal -k <some_new_file_name>
>     nfs/nfs-alok.blr.novell.com at NFS-REALM
>
>2 - go to the server (nfs-alok.blr.novell.com) and
>  - copy <some_new_file_name> to the keytab file name
>  - try the following command, to see if the keytab worked
>   # kinit -k nfs/nfs-alok.blr.novell.com
>   - if this works ok
>     - reboot the server (I don't know Solaris well enough to say if this
>               is necessary or not:-)
>  
>

Definitely NOT necessary.  If it doesn't work, check the KDC logfiles
to see if the correct tickets are being requested and created when the 
nfs share
is being accessed.  Check system logs to see if the kernel is reporting any
errors from the NFS modules.

>3 - go to the client (dharma.blr.novell.com)
>  - get a credentials cache file for root
>   # kinit root/dharma.blr.novell.com at NFS-REALM
>    - and type the password you gave it when the principal was created in
>      step 1
>  - now try the mount
>   # mount -F nfs -o vers=3,sec=krb5 nfs-alok.blr.novell.com:/<exp-dir> /mnt
>   # ls /mnt
>
>If it still doesn't work, some things to look at:
>- make sure that /<exp-dir> on nfs-alok.blr.novell.com has world access
>- make des-cbc-crc the default encryption type for both client and server
>  (in krb5.conf)
>- check that the fully qualified domain names are recognized on both client
>  and server and returned as the primary name by the DNS resolver. (One cheezy
>  way to ensure this is to put entries for both machines in /etc/hosts with
>  the fully qualified names first, then set file before bind for the resolver.
>  I'm not sure how this is done on Solaris? In nsswitch.conf or a line like
>  "lookup file bind" in resolv.conf or ???)
>  
>

Solaris nsswitch.conf entry for host lookup:

hosts:   files dns

-Wyllys

More information about the Kerberos mailing list