Kerberized NFSv4 problems

Christopher D. Clausen cclausen at acm.org
Mon Jun 19 14:43:10 EDT 2006


Erich Weiler <weiler at soe.ucsc.edu> wrote:
> I can do this:
>
> kinit -kt /etc/krb5/krb5.keytab nfs/solarisclient.domain.com
> kinit -kt /etc/krb5/krb5.keytab host/solarisclient.domain.com
>
> with no errors.   When I do a klist then I get:
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/solarisclient.domain.com at MYREALM.COM
> Valid starting                Expires                Service principal
> 06/19/06 11:21:20  06/20/06 11:21:20  krbtgt/MYREALM.COM at MYREALM.COM
>         renew until 06/19/06 11:21:20
>
> Does this mean that things *should* be working, but they aren't? 
> That's scary...  :(  I tried kinit'ing as
> nfs/solarisclient.domain.com and then tried to mount but got the same
> error in the logs...

Hmm... krb5cc_0 would seem to be root's Kerberos cache.  Is NFS just 
being explicitly denied for root?  Or is root otehrwise treated 
differently than normal user accounts?  (I use OpenAFS myself, so I 
don't really know how this NFSv4 stuff works.)


Do you have some other kerberized services that you can test with?  SSH 
perhaps?  (The sshd on Solaris should support Kerberos out of the box.) 
It would help to see if this is a problem with Kerberos or a problem 
with NFS.

<<CDC
-- 
Christopher D. Clausen
ACM at UIUC SysAdmin 





More information about the Kerberos mailing list