Kerberized NFSv4 problems
Christopher D. Clausen
cclausen at acm.org
Mon Jun 19 14:43:10 EDT 2006
Erich Weiler <weiler at soe.ucsc.edu> wrote:
> I can do this:
>
> kinit -kt /etc/krb5/krb5.keytab nfs/solarisclient.domain.com
> kinit -kt /etc/krb5/krb5.keytab host/solarisclient.domain.com
>
> with no errors. When I do a klist then I get:
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/solarisclient.domain.com at MYREALM.COM
> Valid starting Expires Service principal
> 06/19/06 11:21:20 06/20/06 11:21:20 krbtgt/MYREALM.COM at MYREALM.COM
> renew until 06/19/06 11:21:20
>
> Does this mean that things *should* be working, but they aren't?
> That's scary... :( I tried kinit'ing as
> nfs/solarisclient.domain.com and then tried to mount but got the same
> error in the logs...
Hmm... krb5cc_0 would seem to be root's Kerberos cache. Is NFS just
being explicitly denied for root? Or is root otehrwise treated
differently than normal user accounts? (I use OpenAFS myself, so I
don't really know how this NFSv4 stuff works.)
Do you have some other kerberized services that you can test with? SSH
perhaps? (The sshd on Solaris should support Kerberos out of the box.)
It would help to see if this is a problem with Kerberos or a problem
with NFS.
<<CDC
--
Christopher D. Clausen
ACM at UIUC SysAdmin
More information about the Kerberos
mailing list