Kerberized NFSv4 problems

[Will Fiveash]

On Mon, Jun 19, 2006 at 11:56:46AM -0700, Erich Weiler wrote:
> > Hmm... krb5cc_0 would seem to be root's Kerberos cache.  Is NFS just 
> > being explicitly denied for root?  Or is root otehrwise treated 
> > differently than normal user accounts?  (I use OpenAFS myself, so I 
> > don't really know how this NFSv4 stuff works.)
> 
> NFS shouldn't be denied for root as far as I know...  At least I hope 
> not, because when a user SSH'es in for example, the automounter (root 
> process) has got to be able to mount an NFSv4 home directory for that 
> user.  Or maybe the automounter mounts it AS that user after a kerberos 
> ticket has been issued....  Not sure.
> 
> > Do you have some other kerberized services that you can test with?  SSH 
> > perhaps?  (The sshd on Solaris should support Kerberos out of the box.) 
> > It would help to see if this is a problem with Kerberos or a problem 
> > with NFS.
> 
> I can SSH in and SSH talks to PAM (pam_krb5.so.1 specifically) and I get 
> a ticket when SSH logs me in, so that looks cool.
> 
> As Kevin suggested, I tried checking KVNO version numbers on the nfs 
> principal and the keytab and the version numbers differ, maybe that is 
> the problem...  I feel like I'm close by just one step away...  :)

Yes, the KVNO for the NFS service principal key must match in the
krb5.keytab on the NFS server and in the princ. DB that the KDC is using.
If you can just use kadmin on the NFS server and do:

ktadd nfs/somehost.foo.bar.com

which should get the kvno's in sync.  You should also read the Solaris
10 Kerberos documentation on docs.sun.com very carefully as it goes step
by step on how to configure Kerberos and NFS to use Kerberos.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)