Kerberized NFSv4 problems
weiler at soe.ucsc.edu
Mon Jun 19 14:34:54 EDT 2006
> Is there a particular reason you are limiting yourself to DES keys?
> (This isn't a problem though, just a question.)
No reason really, just using DES keys for testing. Once I get this
working I'll move up to better encryption.
> I'm pretty sure MYREALM.COM is a default value. Or did you change the
> output on purpose before posting here?
Changed the values on all that stuff, I guess I'm just paranoid.... :)
> Did you edit /etc/krb5.conf on Solaris and NOT /etc/krb5/krb5.conf?
> Solaris sticks the Kerberos config files (and keytabs) into the
> /etc/krb5 directory. If you have them in /etc/ then they probably
> aren't being read.
Everything on the Solaris box is in /etc/krb5/.
> Can you kinit successfully from Solaris? If the krb5.conf isn't correct
> its not likely to work.
I can kinit OK. I get a ticket successfully.
> The Key Version number gets incremented when you either change the
> password of a principal or extract a new keytab (which is actually a
> password change as well.) If you are getting kvno mis-matches than the
> key in the KDC doesn't match the key in the keytab. You can verify this
> by trying to manually kinit to the principal in the keytab. kinit -kt
> /etc/krb5.keytab <principal> If you don't get any errors and the can
> klist and see your tickets than all should be well regarding the keytab
> and kvno.
I can do this:
kinit -kt /etc/krb5/krb5.keytab nfs/solarisclient.domain.com
kinit -kt /etc/krb5/krb5.keytab host/solarisclient.domain.com
with no errors. When I do a klist then I get:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/solarisclient.domain.com at MYREALM.COM
Valid starting Expires Service principal
06/19/06 11:21:20 06/20/06 11:21:20 krbtgt/MYREALM.COM at MYREALM.COM
renew until 06/19/06 11:21:20
Does this mean that things *should* be working, but they aren't? That's
scary... :( I tried kinit'ing as nfs/solarisclient.domain.com and then
tried to mount but got the same error in the logs...
Thanks for replying by the way!
More information about the Kerberos