How to set up NFS client for Kerberized access in Solaris
Mike Eisler
spamisevi1 at yahoo.com
Fri May 14 12:02:21 EDT 2004
alokgore at rediffmail.com (Alok Gore) wrote in message news:<a9877ca0.0405122230.2db4cd65 at posting.google.com>...
> I took the snoop traces and saw that the client was indeed asking for
> wrong ticket during mount.(Because of some goof up in the /etc/hosts )
This tell me you don't have resolv.conf set up to use DNS on the
NFS clients.
>
> I corrected that and now I am able to see the nfs service ticket after
> I mount the remote path on the client machine.
>
> Now Server has the ticket for nfs service in the keytab file and the
> client has obtained the nfs service ticket during mount operation.
>
>
> I am not able to cd to the mounted path even now !
>
> I analysed the traces between the NFS client and the NFS Server. After
> getting the nfs service ticket, the Client should try to establish
> Context by making an RPC null proc call in RPCSEC_GSS authentication
> flavour. This is not happening.
> Looks like the client has decided locally abt the insufficient rights
> (??).
>
>
> >>- make des-cbc-crc the default encryption type for both client and
> server
> >> (in krb5.conf)
>
> I tried doing this. Same result.
>
> But I am not sure abt one thing:
> The RPCSEC_GSS implentation defines 390003 as the krb5 security
> flavour and this uses *DEC,MAC,MD5* triplet as the algorithm for
> authentication,integrity and privacy.
>
> But the des-cbc-md5 mode is not supported by the KDC(MIT KDC running
> on Linux machine) could this be a reason for the failure ?
That's hard to believe.
>
> Will moving to a Solaris KDC help ?
I honestly don't understand why you
are having problems. Hands on access to your
systems will be necessary. Consider hiring a consultant
to help you get going.
More information about the Kerberos
mailing list