NFSv4 with sec=krb5 mounts not working under Solaris
Will Fiveash
William.Fiveash at sun.com
Thu May 25 20:08:30 EDT 2006
On Thu, May 25, 2006 at 04:23:26PM -0700, Erich Weiler wrote:
> Hi All,
>
> I've been beating my head against this for a while now and thought I'd
> post here to see if anyone knows where I'm going wrong. I installed
> MIT's Kerberos on my Solaris 10 box, using krb5 to authenticate against
> a Kerberos server running Fedora Core 5. Works great, I can SSH in to
> my Solaris 10 client and get a ticket and things are groovy.
Is there a reason you aren't using the native Kerberos and SSH on
Solaris 10?
> What I'd like to do now is mount an NFSv4 mount from that same Fedora
> Core 5 box with sec=krb5 as a mount option. What I did:
>
> 1: On the Solaris 10 client, I ran kadmin:
>
> kadmin: addprinc -randkey nfs/solaris10host.domain.com
> kadmin: ktadd -e des-cbc-crc:normal nfs/solaris10host.domain.com
>
> /etc/krb5.keytab file was created successfully. Then, as root on
> solaris10host:
>
> % mount -F nfs -o vers=4 -o sec=krb5 nfs4server:/ /mnt
> nfs mount: mount: /mnt: Permission denied
>
> Can't figure out where I'm going wrong. Does anyone have any ideas?
Did you install a version of NFS that uses the MIT Kerberos? If not and
you are using the native Solaris NFS then you'll need to configure the
native Solaris Kerberos. I think you can copy (or symlink) the
krb5.conf to /etc/krb5/krb5.conf and copy/symlink the /etc/krb5.keytab
to /etc/krb5/krb5.keytab. Make sure the keytab is only readable by
root. In addition there are online docs for configuring S10 NFS to use
krb auth.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list