Kerberized NFSv4 problems

Erich Weiler weiler at soe.ucsc.edu
Mon Jun 19 14:34:54 EDT 2006 

Hi Christopher,

> Is there a particular reason you are limiting yourself to DES keys? 
> (This isn't a problem though, just a question.)

No reason really, just using DES keys for testing.  Once I get this 
working I'll move up to better encryption.

> I'm pretty sure MYREALM.COM is a default value.  Or did you change the 
> output on purpose before posting here?

Changed the values on all that stuff, I guess I'm just paranoid....  :)

> Did you edit /etc/krb5.conf on Solaris and NOT /etc/krb5/krb5.conf? 
> Solaris sticks the Kerberos config files (and keytabs) into the 
> /etc/krb5 directory.  If you have them in /etc/ then they probably 
> aren't being read.

Everything on the Solaris box is in /etc/krb5/.

> Can you kinit successfully from Solaris?  If the krb5.conf isn't correct 
> its not likely to work.

I can kinit OK.  I get a ticket successfully.

> The Key Version number gets incremented when you either change the 
> password of a principal or extract a new keytab (which is actually a 
> password change as well.)  If you are getting kvno mis-matches than the 
> key in the KDC doesn't match the key in the keytab.  You can verify this 
> by trying to manually kinit to the principal in the keytab.  kinit -kt 
> /etc/krb5.keytab <principal>  If you don't get any errors and the can 
> klist and see your tickets than all should be well regarding the keytab 
> and kvno.

I can do this:

kinit -kt /etc/krb5/krb5.keytab nfs/solarisclient.domain.com
kinit -kt /etc/krb5/krb5.keytab host/solarisclient.domain.com

with no errors.   When I do a klist then I get:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/solarisclient.domain.com at MYREALM.COM
Valid starting                Expires                Service principal
06/19/06 11:21:20  06/20/06 11:21:20  krbtgt/MYREALM.COM at MYREALM.COM
         renew until 06/19/06 11:21:20

Does this mean that things *should* be working, but they aren't?  That's 
scary...  :(  I tried kinit'ing as nfs/solarisclient.domain.com and then 
tried to mount but got the same error in the logs...

Thanks for replying by the way!

ciao, erich

More information about the Kerberos mailing list